CVE-2025-0069

High

Published: 14 January 2025

Published

14 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 10.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0069 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sap (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to DLL Side-Loading (T1574.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the DLL injection vulnerability in SAPSetup by requiring timely application of SAP-provided patches as noted in security note 3542533.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope of local user accounts that can exploit the vulnerability for privilege escalation and subsequent lateral movement.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as DEP and ASLR to hinder DLL injection attacks by preventing unauthorized code execution in process memory.

MITRE ATT&CK Enterprise TechniquesAI

T1574.002 DLL Side-Loading Stealth

Adversaries may execute their own malicious payloads by side-loading DLLs.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CWE-427 DLL search path vuln in SAPSetup directly enables DLL side-loading (T1574.002) for local privilege escalation (T1068) on Windows.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to DLL injection vulnerability in SAPSetup, an attacker with either local user privileges or with access to a compromised corporate user�s Windows account could gain higher privileges. With this, he could move laterally within the network and further compromise…

the active directory of a company. This leads to high impact on confidentiality, integrity and availability of the Windows server.

Deeper analysisAI

CVE-2025-0069 is a DLL injection vulnerability (CWE-427) in the SAPSetup component, affecting Windows servers used in SAP environments. Published on January 14, 2025, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for privilege escalation with changed scope.

An attacker with local user privileges (PR:L) or access to a compromised corporate user's Windows account can exploit this vulnerability despite high attack complexity (AC:H). Successful exploitation allows elevation to higher privileges on the Windows server, enabling lateral movement across the network and potential compromise of the company's Active Directory. This results in high impacts on confidentiality, integrity, and availability.

SAP advisories provide mitigation details, including security note 3542533 at https://me.sap.com/notes/3542533 and further information on their SAP Security Patch Day at https://url.sap/sapsecuritypatchday, recommending application of relevant patches to address the DLL injection issue in SAPSetup.