Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-42975

CVE-2025-42975: SAP NetWeaver ABAP XSS Vulnerability

CVE-2025-42975 is a cross-site scripting flaw in SAP NetWeaver Application Server ABAP BIC Document that enables unauthenticated attackers to inject malicious scripts via crafted URLs. This article covers technical details, affected versions, impact analysis, and recommended mitigation strategies.

Published:

CVE-2025-42975 Overview

CVE-2025-42975 is a reflected cross-site scripting (XSS) vulnerability in the SAP NetWeaver Application Server ABAP BIC Document application. An unauthenticated attacker can craft a URL that embeds a malicious script into the BIC Document application. When a victim clicks the crafted link, the script executes in the victim's browser session. The attacker can then read or modify information tied to the web client without affecting service availability. The issue is tracked under CWE-79 and requires user interaction to succeed.

Critical Impact

A successful attack lets an unauthenticated adversary execute arbitrary JavaScript in a victim's SAP session, enabling theft of session data, defacement of BIC Document pages, and unauthorized actions performed as the victim.

Affected Products

  • SAP NetWeaver Application Server ABAP
  • SAP BIC Document component
  • Specific supported versions listed in SAP Note #3611184

Discovery Timeline

  • 2025-08-12 - CVE-2025-42975 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-42975

Vulnerability Analysis

The flaw is a reflected XSS issue in the BIC Document application shipped with SAP NetWeaver Application Server ABAP. The application incorporates attacker-controlled input from a URL parameter into an HTTP response without sufficient output encoding. Because the injection point returns HTML content executed by the browser, arbitrary JavaScript runs in the victim's origin context.

The scope is marked as changed, meaning the injected script can reach resources beyond the vulnerable component's original security boundary. Confidentiality and integrity impacts are limited but real: an attacker can access data the victim's browser can read and issue authenticated requests as the victim. Availability is not impacted.

Exploitation requires the victim to click a crafted link, so social engineering, phishing emails, or attacker-controlled pages are the primary delivery paths. No credentials are needed to build the payload, which lowers the barrier for opportunistic attacks against externally reachable SAP instances.

Root Cause

The root cause is improper neutralization of user-supplied input during web page generation in the BIC Document handler. Input reflected into the response is not encoded for the HTML, attribute, or JavaScript context in which it is rendered, allowing script tags or event handlers to break out of the intended data context.

Attack Vector

The attack vector is network-based. An attacker constructs a URL containing a JavaScript payload targeting the BIC Document endpoint and distributes it via phishing, chat, or hosted redirects. When an authenticated SAP user opens the link, the payload executes in the browser and can call BIC Document APIs, exfiltrate cookies or session tokens accessible to the page, and manipulate rendered content. The vulnerability requires user interaction and does not require attacker authentication.

No public proof-of-concept is available. See SAP Note #3611184 for the vendor's technical description.

Detection Methods for CVE-2025-42975

Indicators of Compromise

  • HTTP requests to BIC Document URLs containing script-like tokens such as <script, onerror=, onload=, javascript:, or URL-encoded variants (%3Cscript, %3Cimg).
  • Referrer headers on SAP requests originating from external, untrusted domains or shortened URL services.
  • Unusual outbound requests from SAP web clients to attacker-controlled hosts immediately after a BIC Document page load.
  • Web application firewall (WAF) alerts flagging reflected XSS patterns against SAP NetWeaver endpoints.

Detection Strategies

  • Inspect Internet Communication Manager (ICM) and reverse proxy logs for query strings targeting BIC Document handlers with HTML metacharacters.
  • Correlate SAP audit logs with browser telemetry to identify sessions loading BIC Document pages followed by anomalous API calls.
  • Deploy Content Security Policy (CSP) violation reporting on SAP web frontends to surface injected inline scripts.

Monitoring Recommendations

  • Alert on repeated 200-response BIC Document requests containing suspicious payload fragments from the same source IP.
  • Track sudden increases in outbound clicks to SAP URLs originating from email gateways, which may indicate phishing runs.
  • Monitor for session token reuse across geographically distant IP addresses after BIC Document access.

How to Mitigate CVE-2025-42975

Immediate Actions Required

  • Apply the patches referenced in SAP Note #3611184 on all NetWeaver Application Server ABAP systems running the BIC Document component.
  • Review the SAP Security Patch Day bulletin to identify related notes that must be applied together.
  • Restrict external exposure of BIC Document endpoints where business requirements permit.

Patch Information

SAP has released fixes through SAP Note #3611184 as part of its Security Patch Day cycle. Administrators must download the note from the SAP ONE Support Launchpad, identify the correct support package or manual correction for their release, and deploy through the standard SAP transport process. Confirm remediation by re-testing the BIC Document endpoint with known XSS payloads in a controlled environment.

Workarounds

  • Configure a WAF rule set to block requests to BIC Document URLs containing HTML tags, event handler attributes, or javascript: schemes until patching is complete.
  • Enforce a strict Content Security Policy on SAP web frontends to block inline script execution.
  • Train users to avoid clicking SAP links received from untrusted sources and to access SAP applications through bookmarked internal URLs.
  • Limit BIC Document access to authenticated users on internal networks via reverse proxy access controls.
bash
# Example WAF rule (ModSecurity) blocking reflected XSS payloads against BIC Document endpoints
SecRule REQUEST_URI "@contains /bic/document" \
    "phase:2,deny,status:403,id:1042975,\
    msg:'Potential CVE-2025-42975 XSS attempt against SAP BIC Document',\
    chain"
    SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:|%3Cscript)" \
        "t:none,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.