Introduction
Business continuity and sensitive data integrity in SAP-powered enterprises can be disrupted by memory corruption vulnerabilities. CVE-2025-42976 in SAP NetWeaver Application Server ABAP's BIC Document component allows authenticated users to crash the system or read sensitive memory contents, with a CVSS score of 8.1.
SAP SE is a dominant force in enterprise software, with SAP NetWeaver serving as the backbone for business applications in thousands of organizations globally. The ABAP stack, and specifically components like BIC Document, are integral to business intelligence and document processing workflows, making vulnerabilities in these areas especially impactful for operational reliability and data confidentiality.
Technical Information
CVE-2025-42976 is a memory corruption vulnerability in the BIC Document component of SAP NetWeaver Application Server ABAP. The vulnerability is triggered when an authenticated user submits a specially crafted request to the BIC Document application. This request manipulates memory address handling, resulting in corruption of memory structures and a crash of the target component. Multiple exploit attempts can render the component entirely unavailable, causing a denial of service.
A variant of the crafted request can perform an out-of-bounds read (CWE-125), exposing sensitive information present in memory at the time of exploitation. The root cause is improper bounds checking and memory management in the BIC Document application when processing user-supplied input. There is no ability to modify information, but the risk of data exposure and service disruption is significant. No public code snippets or PoC details are available for this vulnerability.
The vulnerability requires authentication but does not demand elevated privileges beyond access to the BIC Document functionality. Attackers with valid credentials or compromised accounts can exploit this issue to disrupt business operations or extract sensitive in-memory data.
Affected Systems and Versions
- SAP NetWeaver Application Server ABAP (BIC Document component)
- No specific version numbers or ranges are provided in public sources
- Only authenticated users with access to BIC Document functionality are able to exploit this vulnerability
Vendor Security History
SAP has a track record of memory management and authorization vulnerabilities in its ABAP stack. In 2025 alone, multiple high-severity issues have been disclosed, including memory corruption and insecure deserialization flaws. The vendor maintains a monthly Security Patch Day process and generally responds promptly to critical vulnerabilities. However, the complexity of SAP environments means that vulnerabilities can persist until patches are widely deployed and applied.