- SAP’s December update patched 14 flaws, including three critical vulnerabilities in key products
- CVE‑2025‑42880 (9.9) in SAP Solution Manager allows code injection and full system compromise
- CVE‑2025‑55754 (9.6) in Apache Tomcat and CVE‑2025‑42928 (9.1) in SAP jConnect enable remote code execution under certain conditions
SAP has released its December cumulative security update, through which it fixed 14 vulnerabilities found in different products. Among them are three critical-severity flaws which should be addressed without delay.
The full list of addressed vulnerabilities can be found on this link.
The most critical bug fixed this time is a code injection vulnerability discovered in SAP Solution Manager ST 720, a specific support package stack level of SAP Solution Manager 7.2 that provides updated tools for application lifecycle management, system monitoring, and IT service management.
SAP Ecommerce Cloud affected
The bug is tracked as CVE-2025-42880 and was given a severity score of 9.9/10 (critical).
“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” the CVE record explains. “This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.”
The second biggest flaw is an improper neutralization of escape, meta, or control sequences bug in Apache Tomcat, affecting SAP Commerce Cloud components. It is tracked as CVE-2025-55754 and has a severity score of 9.6/10 (critical).
“Tomcat did not escape ANSI escape sequences in log messages,” the CVE page reads. “If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker-controlled command.”
The advisory also states that there is no known attack vector, but it might be possible to mount this attack on other operating systems.
The third one is a deserialization bug in SAP jConnect that allows high-privileged users to execute malicious code remotely, but only when specific conditions are met. This bug is tracked as CVE-2025-42928 and was given a severity score of 9.1/10 (critical).
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
