CVE-2025-42878— Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42878
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM)
Source: NVD (National Vulnerability Database)
Vulnerability Description
SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1244
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP Web Dispatcher和SAP Internet Communication Manager 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP Web Dispatcher和SAP Internet Communication Manager(SAP ICM)都是德国思爱普(SAP)公司的产品。SAP Web Dispatcher是Load Balancing 的核心组件,支持负载均衡,提供反向代理的功能,使得外网用户可以访问到内部应用。SAP Internet Communication Manager是一个 SAP NetWeaver 应用程序服务器的组件。用于接收和发送 Web 请求(HTTP、HTTPS、SMTP)。 SAP We
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP Web Dispatcher and Internet Communication Manager (ICM) | KRNL64NUC 7.22 | - |
II. Public POCs for CVE-2025-42878
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42878
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2025-12-09 · 12 CVEs total
| CVE-2025-42880 | 9.9 CRITICAL | Code Injection vulnerability in SAP Solution Manager |
| CVE-2025-42928 | 9.1 CRITICAL | Deserialization Vulnerability in SAP jConnect - SDK for ASE |
| CVE-2025-42874 | 7.9 HIGH | Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) |
| CVE-2025-42877 | 7.5 HIGH | Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and |
| CVE-2025-42876 | 7.1 HIGH | Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) |
| CVE-2025-42875 | 6.6 MEDIUM | Missing Authentication check in SAP NetWeaver Internet Communication Framework |
| CVE-2025-42904 | 6.5 MEDIUM | Information Disclosure vulnerability in Application Server ABAP |
| CVE-2025-42872 | 6.1 MEDIUM | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal |
| CVE-2025-42873 | 5.9 MEDIUM | Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) |
| CVE-2025-42891 | 5.5 MEDIUM | Missing Authorization check in SAP Enterprise Search for ABAP |
| CVE-2025-42896 | 5.4 MEDIUM | Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
V. Comments for CVE-2025-42878
No comments yet