CVE-2025-42976 Overview
CVE-2025-42976 affects SAP NetWeaver Application Server ABAP, specifically the BIC Document component. An authenticated attacker can craft a request that triggers a memory corruption error when submitted to a BIC Document application. Successful exploitation crashes the target component, and repeated submissions render the application unavailable. A similarly crafted request can trigger an out-of-bounds read [CWE-125], exposing sensitive information loaded in memory at the time of the request. The vulnerability does not allow modification of data.
Critical Impact
Authenticated attackers can crash the BIC Document component and disclose in-memory data through an out-of-bounds read, causing service unavailability and information leakage in SAP NetWeaver ABAP environments.
Affected Products
- SAP NetWeaver Application Server ABAP
- BIC Document component of SAP NetWeaver AS ABAP
- SAP systems referenced in SAP Note #3611184
Discovery Timeline
- 2025-08-12 - CVE-2025-42976 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-42976
Vulnerability Analysis
The vulnerability resides in how the BIC Document application within SAP NetWeaver Application Server ABAP processes incoming requests. A malformed request triggers a memory corruption condition that crashes the component. The same class of malformed input can also produce an out-of-bounds read [CWE-125], returning bytes from adjacent memory regions to the requester.
The flaw requires authentication and is exploitable over the network. The attacker can disrupt availability and read sensitive in-memory content but cannot alter stored data. The EPSS score is 0.099% as of 2026-05-26, indicating low observed exploitation likelihood at this time.
Root Cause
The root cause is improper validation of input bounds during request parsing inside the BIC Document handler. When the parser dereferences memory based on attacker-controlled offsets or lengths, the runtime either corrupts memory state, leading to a crash, or reads past the intended buffer boundary, exposing residual data from the ABAP work process memory.
Attack Vector
An authenticated user submits a crafted HTTP request to the BIC Document endpoint exposed by the SAP NetWeaver ABAP stack. A single request triggers a component crash. Repeated submissions sustain the denial-of-service condition. A variant payload triggers the out-of-bounds read path, returning memory contents in the response.
No public proof-of-concept or exploit is available. See SAP Note #3611184 for vendor technical details.
Detection Methods for CVE-2025-42976
Indicators of Compromise
- Unexpected termination or restart of ABAP work processes handling BIC Document requests
- Repeated HTTP requests from a single authenticated user targeting BIC Document endpoints followed by short-message dumps in ST22
- Anomalous response sizes or response content from BIC Document endpoints containing non-printable or unexpected binary data
- SAP system logs showing DUMP entries correlated with BIC Document URL paths
Detection Strategies
- Monitor ABAP runtime errors (ST22) for memory access dumps tied to the BIC Document component
- Correlate authentication events with BIC Document request volume per user to surface abnormal request bursts
- Inspect HTTP request payloads for malformed parameters submitted to BIC Document URLs at the reverse proxy or SAP Web Dispatcher layer
Monitoring Recommendations
- Forward SAP Security Audit Log (SM19/RSAU_CONFIG) and ABAP short dumps to a centralized SIEM for correlation
- Alert on repeated work process crashes within short time windows on hosts running BIC Document
- Track outbound response sizes from BIC Document endpoints to identify potential information leakage
How to Mitigate CVE-2025-42976
Immediate Actions Required
- Apply the fixes referenced in SAP Note #3611184 on all affected SAP NetWeaver AS ABAP systems
- Review the SAP Security Patch Day bulletin to confirm the patch level matches your installed support package
- Restrict network access to BIC Document endpoints to authorized users and trusted network segments
- Audit accounts authorized to access the BIC Document application and remove unnecessary entitlements
Patch Information
SAP has published remediation through SAP Note #3611184. Customers must authenticate to the SAP Support Portal to access the note and obtain the corresponding support packages or kernel patches for their NetWeaver AS ABAP release. Apply the patch in a test environment first and validate BIC Document functionality before promoting to production.
Workarounds
- Temporarily disable the BIC Document application if it is not required for business operations
- Place SAP Web Dispatcher or a reverse proxy rule in front of BIC Document URLs to filter requests from untrusted sources
- Enforce least-privilege authorization for users with access to BIC Document transactions and services
- Increase monitoring of ABAP short dumps and work process restarts until patching is complete
# Example: restrict BIC Document URL access at SAP Web Dispatcher
# icm/HTTP/auth_<xx> profile parameter example
icm/HTTP/auth_0 = PREFIX=/sap/bc/bic/, PERMFILE=$(DIR_INSTANCE)/work/permfile.txt
# permfile.txt contents:
# P /sap/bc/bic/* 10.0.0.0/8
# D /sap/bc/bic/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
