SAP Web Dispatcher ICM Unauthenticated Interface Exposure
CVE-2025-42878 Published on December 9, 2025
Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM)
SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application.
Vulnerability Analysis
CVE-2025-42878 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.
Weakness Type
Improper Access to Sensitive Information Using Debug and Test Interfaces
The product's physical debug and test interface protection does not block untrusted agents, resulting in unauthorized access to and potentially control of sensitive assets.
Products Associated with CVE-2025-42878
Want to know whenever a new CVE is published for SAP Web Dispatcher? stack.watch will email you.
Affected Versions
SAP_SE SAP Web Dispatcher and Internet Communication Manager (ICM):- Version KRNL64NUC 7.22 is affected.
- Version 7.22EXT is affected.
- Version KRNL64UC 7.22 is affected.
- Version 7.53 is affected.
- Version WEBDISP 7.22_EXT is affected.
- Version 7.54 is affected.
- Version 7.77 is affected.
- Version 7.89 is affected.
- Version 7.93 is affected.
- Version 9.16 is affected.
- Version KERNEL 7.22 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.