CVE-2025-42976

Summary

SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)S4COREOP 104affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)105affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)106affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)107affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)108affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)SEM-BW 600affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)602affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)603affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)604affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)605affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)634affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)736affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)746affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)747affected
SAP_SESAP NetWeaver Application Server ABAP (BIC Document)748affected

Weaknesses

  • CWE-125: CWE-125: Out-of-bounds Read

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References