- SAP’s December update fixed 14 flaws, including three critical vulnerabilities in key products
- CVE-2025-42880 (9.9) in SAP Solution Manager allows code injection and full system compromise
- CVE-2025-55754 (9.6) in Apache Tomcat and CVE-2025-42928 (9.1) in SAP jConnect allow remote code execution under certain conditions
SAP released its December cumulative security update, through which it fixed 14 vulnerabilities found in different products. Among them are three critical severity flaws that must be addressed without delay.
The full list of addressed vulnerabilities can be found at this link.
The most critical bug fixed this time is a code injection vulnerability discovered in SAP Solution Manager ST 720, a specific support package stack level of SAP Solution Manager 7.2 that provides updated tools for application lifecycle management, system monitoring, and IT service management.
SAP Ecommerce Cloud affected
The bug is tracked as CVE-2025-42880 and was assigned a severity score of 9.9/10 (critical).
“Due to a lack of input sanitization, SAP Solution Manager allows an authenticated attacker to insert malicious code by calling a remotely enabled function module,” the CVE log explains. “This could provide the attacker with full control of the system, which would have a high impact on the confidentiality, integrity and availability of the system.”
The second largest flaw is inadequate neutralization of the control, meta, or escape sequence error in Apache Tomcat, which affects SAP Commerce Cloud components. It is tracked as CVE-2025-55754 and has a severity score of 9.6/10 (critical).
“Tomcat did not escape ANSI escape sequences in log messages,” the CVE page reads. “If Tomcat was running in a console on a Windows operating system and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and clipboard and attempt to trick an administrator into executing a command controlled by the attacker.”
The advisory also states that there is no known attack vector, but that it might be possible to mount this attack on other operating systems.
The third is a deserialization bug in SAP jConnect that allows high-privileged users to execute malicious code remotely, but only when specific conditions are met. This bug is tracked as CVE-2025-42928 and was assigned a severity score of 9.1/10 (critical).
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
