- SAP’s December update fixed 14 bugs, including three critical vulnerabilities in key products
- CVE-2025-42880 (9.9) in SAP Solution Manager allows code injection and full system compromise
- CVE-2025-55754 (9.6) in Apache Tomcat and CVE-2025-42928 (9.1) in SAP jConnect allow remote code execution under certain conditions
SAP has released its cumulative security update in December, through which it fixed 14 vulnerabilities found in various products. Among them are three serious flaws that should be addressed without delay.
The full list of fixed vulnerabilities can be found at this link.
The most critical bug fixed this time is a code injection vulnerability discovered in SAP Solution Manager ST 720, a specific support package stack level in SAP Solution Manager 7.2 that provides updated tools for application lifecycle management, system monitoring and IT service management.
SAP Ecommerce Cloud affected
The bug is tracked as CVE-2025-42880 and received a severity score of 9.9/10 (Critical).
“Due to a lack of input sanitization, SAP Solution Manager allows an authenticated attacker to inject malicious code when calling a remotely activated function module,” the CVE post explains. “This can give the attacker full control over the system and thus lead to a major impact on the confidentiality, integrity and availability of the system.”
The second largest bug is an improper neutralization of escape, meta, or control sequence errors in Apache Tomcat that affects SAP Commerce Cloud components. It is tracked as CVE-2025-55754 and has a severity rating of 9.6/10 (Critical).
“Tomcat did not escape ANSI escape sequences in log messages,” the CVE page says. “If Tomcat was running in a console on a Windows operating system and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and clipboard and attempt to trick an administrator into running an attacker-controlled command.”
The advisory also states that there is no known attack vector, but it may be possible to mount this attack on other operating systems.
The third is a deserialization flaw in SAP jConnect that allows highly privileged users to execute malicious code remotely, but only when specific conditions are met. This bug is tracked as CVE-2025-42928 and received a severity score of 9.1/10 (Critical).
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
