SAP Security Update Fixes Critical Code Injection Vulnerability in Solution Manager
Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select Italian
Search
Banner Mobile
Redhotcyber Banner Sito 970x120px Uscita 101125
SAP Security Update Fixes Critical Code Injection Vulnerability in Solution Manager

SAP Security Update Fixes Critical Code Injection Vulnerability in Solution Manager

Redazione RHC : 9 December 2025 10:41

SAP has just released its latest annual security update, which contains 14 new security bug fixes. Among them is a A critical “code injection” flaw in SAP Solution Manager poses a high risk to the integrity of enterprise systems, with a severity rating very close to maximum.

This vulnerability, which has a CVSS score of 9.9, is labeled “Critical.” Its cause lies in the lack of proper input sanitization, which allows an authenticated attacker to execute malicious code by calling a function module that can be enabled remotely.

In this collection of fixes, two other critical notes emerge:

  • Apache Tomcat Vulnerabilities in Commerce Cloud: SAP has fixed several vulnerabilities affecting Apache Tomcat in SAP Commerce Cloud. These vulnerabilities, including CVE-2025-55754, have a critical CVSS score of 9.6.
  • Deserialization in jConnect: A high-risk deserialization vulnerability has been addressed in the SAP jConnect SDK for ASE . This vulnerability (CVE-2025-42928), classified under CVSS 9.1, could allow a privileged user to initiate remote code execution under specific conditions.

One of the most significant concerns is CVE-2025-42880, a Code Injection security flaw affecting SAP Solution Manager, especially in version ST 720.

Confidentiality, integrity, and availability could be completely compromised if an attacker were to gain full control of the system through effective exploitation. The consequences would be very serious.

In addition to the critical advisories, several high-severity issues have been addressed:

  • Sensitive Data Exposure (CVE-2025-42878): SAP Web Dispatcher and Internet Communication Manager (ICM) have been discovered to potentially expose internal test interfaces. If left enabled, unauthenticated attackers could “access diagnostics, send forged requests, or disrupt services.”
  • Denial of Service (DoS): Two separate DoS vulnerabilities (CVE-2025-42874 and CVE-2025-48976) have been fixed: one in SAP NetWeaver (remote service for Xcelsius) and the other in SAP Business Objects.
  • Memory Corruption (CVE-2025-42877): A memory corruption flaw affecting Web Dispatcher, ICM, and SAP Content Server has also been addressed.

Administrators are strongly encouraged to review and implement these patches, especially the critical fix for Solution Manager, to ensure their SAP environments remain protected well into 2026.

  • Apache Tomcat
  • Business Objects
  • Code Injection
  • CVE-2025-42880
  • cybersecurity update
  • jConnect
  • SAP Commerce Cloud
  • SAP NetWeaver
  • SAP security
  • Solution Manager
  • vulnerability patch
Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli