Final Patch of 2025: Critical SAP Solution Manager Flaw (CVE-2025-42880, CVSS 9.9) Risks Full System Compromise

Today, SAP has released its final security update of the year, dropping 14 new security notes. The patch bundle is headlined by a critical “Code Injection” vulnerability in SAP Solution Manager that carries a near-maximum severity score, posing a significant risk to enterprise system integrity.

The most alarming issue in this month’s release is CVE-2025-42880, a Code Injection vulnerability affecting SAP Solution Manager (specifically version ST 720).

With a CVSS score of 9.9, this flaw is classified as “Critical.” The vulnerability stems from missing input sanitation, which “allows an authenticated attacker to insert malicious code when calling a remote-enabled function module”.

The implications are severe. Successful exploitation could provide an attacker with “full control of the system,” leading to a complete compromise of confidentiality, integrity, and availability.

Two other critical notes stand out in this release:

• Apache Tomcat Vulnerabilities in Commerce Cloud: SAP patched multiple vulnerabilities affecting Apache Tomcat within SAP Commerce Cloud. These flaws, including CVE-2025-55754, carry a critical CVSS score of 9.6.
• Deserialization in jConnect: A high-risk deserialization vulnerability was fixed in the SAP jConnect SDK for ASE. This flaw (CVE-2025-42928), rated CVSS 9.1, could allow a privileged user to launch remote code execution under specific conditions.

Beyond the critical alerts, several high-severity issues were addressed:

• Sensitive Data Exposure (CVE-2025-42878): SAP Web Dispatcher and Internet Communication Manager (ICM) were found to potentially expose internal testing interfaces. If left enabled, unauthenticated attackers could “access diagnostics, send crafted requests, or disrupt services”.
• Denial of Service (DoS): Two separate DoS vulnerabilities (CVE-2025-42874 & CVE-2025-48976) were patched. one in SAP NetWeaver (remote service for Xcelsius), and another in SAP Business Objects.
• Memory Corruption (CVE-2025-42877): A memory corruption flaw affecting Web Dispatcher, ICM, and SAP Content Server was also resolved.

The update also includes fixes for medium-severity issues, including:

• Missing Authorization Checks: Found in SAP S/4HANA Private Cloud (Financials General Ledger) and SAP Enterprise Search for ABAP.
• Cross-Site Scripting (XSS): A vulnerability in SAP NetWeaver Enterprise Portal that could allow attackers to inject malicious scripts.
• Server-Side Request Forgery (SSRF): A flaw in the SAP BusinessObjects Business Intelligence Platform.

With the year closing out, administrators are strongly advised to review and apply these patches—especially the critical Solution Manager fix—to ensure their SAP landscapes remain secure entering 2026.

Related Posts:

• SAP November 2025 Patch Day Fixes 3 Critical Flaws (CVSS 10) — Including Code Injection and Insecure Key Management
• A total of 10 Security in SAP was patched
• SAP Patches Critical 10.0 Flaw in NetWeaver: Unauthenticated RCE Risk
• Adobe Issues Critical Security Updates for Commerce and Magento Platforms