CVE-2025-42935
📋 TL;DR
CVE-2025-42935 allows authorized administrators with local file system access to read sensitive information from SAP NetWeaver ICM log files. This vulnerability affects SAP NetWeaver Application Server ABAP and ABAP Platform systems with ICM enabled. Only users with administrative privileges and local file access can exploit this information disclosure.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
- SAP ABAP Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrators with malicious intent could extract sensitive configuration data, credentials, or business information from ICM logs, potentially enabling further attacks or data exfiltration.
Likely Case
Accidental exposure of sensitive log data to authorized administrators during routine maintenance or troubleshooting activities.
If Mitigated
With proper access controls and log sanitization, the risk is limited to authorized administrators who already have significant system access.
🎯 Exploit Status
Exploitation requires administrative privileges and local file system access to ICM log directories. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3601480
Vendor Advisory: https://me.sap.com/notes/3601480
Restart Required: No
Instructions:
1. Download SAP Note 3601480 from SAP Support Portal. 2. Apply the note using SAP Note Assistant or manual implementation. 3. Verify the fix by checking that sensitive information is no longer logged in ICM files.
🔧 Temporary Workarounds
Restrict ICM Log File Access
Unix/LinuxLimit file system permissions to ICM log directories to prevent unauthorized access
chmod 600 /usr/sap/<SID>/<instance>/work/icm*
chown <sapadm>:sapsys /usr/sap/<SID>/<instance>/work/icm*
Disable Detailed ICM Logging
allReduce ICM logging verbosity to minimize sensitive information exposure
icm/HTTP/logging_0 = 0
icm/HTTPS/logging_0 = 0
🧯 If You Can't Patch
- Implement strict access controls on ICM log directories using OS-level permissions
- Regularly monitor and audit access to ICM log files and review log content for sensitive data
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3601480 is applied using transaction SNOTE or check ICM log files for sensitive information like credentials or configuration details.Check Version:
Execute 'disp+work' in SAP GUI or check system information in transaction SM51Verify Fix Applied:
Verify SAP Note 3601480 implementation status and test that sensitive information is no longer present in ICM log files after applying the fix.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to ICM log directories
- Administrative users accessing ICM log files outside normal maintenance windows
Network Indicators:
- No network-based indicators as this is a local file system vulnerability
SIEM Query:
source="OS Audit Logs" AND (event_type="file_access" AND file_path="*icm*log*" AND user="*adm*")