CVE-2025-42975

Vulnerability

Analysis

CVE-2025-42975 describes a reflected cross-site scripting (XSS) vulnerability in the SAP NetWeaver Application Server ABAP (BIC Document) component. An unauthenticated attacker can craft a specially URL link which, when accessed on the BIC Document application, embeds a malicious script. The root cause is insufficient input validation or output encoding in the application's handling of URL parameters [1].

Exploitation

Conditions

The attack requires no authentication and can be launched by tricking a victim into clicking on the crafted link. The attacker does not need a man-in-the-middle position; the malicious link can be distributed via email, social media, or other channels. No special network access is required—only that the victim's browser can reach the vulnerable SAP server [1].

Impact

Upon successful exploitation, the injected script executes within the victim's browser in the context of the affected web application. This allows the attacker to access or modify information related to the web client—such as session tokens, page content, or data displayed in the browser—but does not impact the availability of the SAP system itself (e.g., denial of service). The vulnerability is classified as medium severity (CVSS 6.1) [1].

Mitigation

SAP has released a security patch as part of its regular Security Patch Day (second Tuesday of each month). Users are advised to apply the corresponding SAP Security Note promptly. No workaround is documented; the only effective mitigation is installing the vendor-provided patch. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog [1].