CVE-2025-42878

High

Published: 09 December 2025

Published

09 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H

EPSS Score 0.0008 23.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42878 is a high-severity Internal Asset Exposed to Unsafe Debug Access Level or State (CWE-1244) vulnerability in Sap (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-7 Least Functionality good match

prevent

CM-7 Least Functionality directly prevents exposure by prohibiting non-essential internal testing interfaces in production SAP Web Dispatcher and ICM configurations.

CM-6 Configuration Settings good match

prevent

CM-6 Configuration Settings enforces documented, restrictive configurations that disable unintended testing interfaces, comprehensively mitigating the vulnerability.

SI-2 Flaw Remediation good match

prevent

SI-2 Flaw Remediation requires timely implementation of SAP security note 3684682 to correct the exposure of testing interfaces.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Exposes exploitable testing interfaces in public-facing SAP Web Dispatcher/ICM (T1190), enabling access to diagnostics (confidentiality impact) and service disruption (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality,…

availability and low impact on integrity and of the application.

Deeper analysisAI

CVE-2025-42878 is a vulnerability in SAP Web Dispatcher and Internet Communication Manager (ICM) that may expose internal testing interfaces not intended for production use. If these interfaces are enabled, they can be exploited, resulting in high impact on confidentiality and availability, with low impact on integrity. The vulnerability is rated with a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H) and is associated with CWE-1244.

Unauthenticated attackers can exploit this vulnerability over the network, though it requires high attack complexity and user interaction. Successful exploitation allows attackers to access diagnostics, send crafted requests, or disrupt services, potentially compromising sensitive information and service availability while having limited integrity effects.

SAP provides mitigation guidance in security note 3684682 (https://me.sap.com/notes/3684682) and details on the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday).

Details

CWE(s): CWE-1244

Affected Products

Sap

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-29642Shared CWE-1244

CVE-2024-0114Shared CWE-1244

References

https://me.sap.com/notes/3684682
cna@sap.com
https://url.sap/sapsecuritypatchday
cna@sap.com