Description
SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the denial of service of the Content Management Server (CMS). Successful exploitation impacts system availability, while confidentiality and integrity remain unaffected.
Published: 2026-02-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

This vulnerability exists in the AdminTools component of SAP BusinessObjects Business Intelligence Platform. An authenticated user with standard privileges can submit a specially crafted query that causes the Content Management Server to crash, making the CMS unavailable. The flaw is identified as CWE‑405, reflecting improper handling of input that can trigger an application crash.

Affected Systems

SAP SE’s SAP BusinessObjects Business Intelligence Platform (AdminTools) for the 2025, 2027, and 430 enterprise releases are affected. These versions run on the enterprise edition and the problem is present across all supported operating environments for those releases.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, although the vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated with normal user rights to execute the vulnerable query, so the attack vector is local or internal. Successful exploitation would result in a denial of service to the Content Management Server, affecting availability while leaving confidentiality and integrity unchanged.

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch referenced in SAP Note 3695912 or the latest SAP Security Patch Day release to update the AdminTools component of SAP BusinessObjects Business Intelligence Platform
  • Restrict or remove user privileges for executing the vulnerable query in AdminTools, limiting this capability to trusted administrators only
  • Continuously monitor CMS logs for unexpected crashes or repeated DoS attempts and audit access controls to ensure that privilege restrictions remain effective

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap businessobjects Business Intelligence Platform
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2025:*:*:*:enterprise:*:*:*
cpe:2.3:a:sap:businessobjects_business_intelligence_platform:2027:*:*:*:enterprise:*:*:*
cpe:2.3:a:sap:businessobjects_business_intelligence_platform:430:*:*:*:enterprise:*:*:*
Vendors & Products Sap
Sap businessobjects Business Intelligence Platform

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Objects Business Intelligence Platform
Vendors & Products Sap Se
Sap Se sap Business Objects Business Intelligence Platform

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the denial of service of the Content Management Server (CMS). Successful exploitation impacts system availability, while confidentiality and integrity remain unaffected.
Title Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools)
Weaknesses CWE-405
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Sap Businessobjects Business Intelligence Platform
Sap Se Sap Business Objects Business Intelligence Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T16:17:50.858Z

Reserved: 2026-01-21T22:15:36.672Z

Link: CVE-2026-24324

cve-icon Vulnrichment

Updated: 2026-02-10T16:17:08.133Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:04.630

Modified: 2026-02-17T15:15:09.090

Link: CVE-2026-24324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses