CVE-2025-0064
Published: 11 February 2025
Summary
CVE-2025-0064 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Sap Businessobjects Business Intelligence Platform. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through application of SAP patches directly fixes the flaw allowing admins to generate or retrieve the secret passphrase in the Central Management Console.
Enforcement of least privilege limits the administrative accounts that could exploit the vulnerability requiring high privileges (PR:H) to impersonate users.
Requires the system to enforce approved access authorizations, addressing the incorrect permission assignment (CWE-732) to the critical secret passphrase resource.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Admin access to retrieve secret passphrase directly enables impersonation via valid accounts (T1078) and use of alternate authentication material (T1550).
NVD Description
Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a…
more
high impact on confidentiality and integrity, with no impact on availability.
Deeper analysisAI
CVE-2025-0064 is a vulnerability in the Central Management Console of the SAP BusinessObjects Business Intelligence platform. Under specific conditions, an attacker with administrative rights can generate or retrieve a secret passphrase, which enables them to impersonate any user in the system. This issue, linked to CWE-732 (Incorrect Permission Assignment for Critical Resource), carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with no availability disruption.
Exploitation requires an attacker to possess administrative privileges on the affected system, allowing network-based access with low complexity and no user interaction. Successful exploitation grants the ability to impersonate any user, potentially leading to unauthorized access to sensitive data and manipulation of system configurations or reports.
SAP advisories, including security note 3525794 and details from the SAP Security Patch Day, provide guidance on mitigation, such as applying available patches to address the vulnerability in the Central Management Console.
Details
- CWE(s)