Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
320x100 Itcentric
Crowdstriker 970×120
SAP Security Update Fixes Critical Code Injection Vulnerability in Solution Manager

SAP Security Update Fixes Critical Code Injection Vulnerability in Solution Manager

9 December 2025 10:41

SAP has just released its latest annual security update, which contains 14 new security bug fixes. Among them is a A critical “code injection” flaw in SAP Solution Manager poses a high risk to the integrity of enterprise systems, with a severity rating very close to maximum.

This vulnerability, which has a CVSS score of 9.9, is labeled “Critical.” Its cause lies in the lack of proper input sanitization, which allows an authenticated attacker to execute malicious code by calling a function module that can be enabled remotely.

In this collection of fixes, two other critical notes emerge:

  • Apache Tomcat Vulnerabilities in Commerce Cloud: SAP has fixed several vulnerabilities affecting Apache Tomcat in SAP Commerce Cloud. These vulnerabilities, including CVE-2025-55754, have a critical CVSS score of 9.6.
  • Deserialization in jConnect: A high-risk deserialization vulnerability has been addressed in the SAP jConnect SDK for ASE . This vulnerability (CVE-2025-42928), classified under CVSS 9.1, could allow a privileged user to initiate remote code execution under specific conditions.

One of the most significant concerns is CVE-2025-42880, a Code Injection security flaw affecting SAP Solution Manager, especially in version ST 720.

Confidentiality, integrity, and availability could be completely compromised if an attacker were to gain full control of the system through effective exploitation. The consequences would be very serious.

In addition to the critical advisories, several high-severity issues have been addressed:

  • Sensitive Data Exposure (CVE-2025-42878): SAP Web Dispatcher and Internet Communication Manager (ICM) have been discovered to potentially expose internal test interfaces. If left enabled, unauthenticated attackers could “access diagnostics, send forged requests, or disrupt services.”
  • Denial of Service (DoS): Two separate DoS vulnerabilities (CVE-2025-42874 and CVE-2025-48976) have been fixed: one in SAP NetWeaver (remote service for Xcelsius) and the other in SAP Business Objects.
  • Memory Corruption (CVE-2025-42877): A memory corruption flaw affecting Web Dispatcher, ICM, and SAP Content Server has also been addressed.

Administrators are strongly encouraged to review and implement these patches, especially the critical fix for Solution Manager, to ensure their SAP environments remain protected well into 2026.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • Apache Tomcat
  • Business Objects
  • Code Injection
  • CVE-2025-42880
  • cybersecurity update
  • jConnect
  • SAP Commerce Cloud
  • SAP NetWeaver
  • SAP security
  • Solution Manager
  • vulnerability patch
Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.