CVE-2025-42878
Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM)
In short
SAP Web Dispatcher and ICM contain testing interfaces that should be disabled in production systems. If left enabled, attackers without credentials can access diagnostic information, manipulate requests, or cause service disruptions.
Technical detail
CWE-1244 describes exposure of internal testing/debug interfaces in production deployments. The vulnerability allows unauthenticated remote attackers to access diagnostic functions via the Web Dispatcher or ICM, enabling information disclosure and potential denial of service. Exploitation requires the testing interfaces to remain enabled in the production environment.
Summary generated and translated by AI from the official description.
SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H
Affected products
SAP_SE · SAP Web Dispatcher and Internet Communication Manager (ICM)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →