NewForTech

Home » Latest » Security » We are aware of three critical vulnerabilities that have been addressed by SAP

We are aware of three critical vulnerabilities that have been addressed by SAP

0 hits

We are aware of three critical vulnerabilities that have been addressed by SAP
2 minutes

Written by

Tech Insider (NewForTech Editorial Team)

in

  • The December SAP update resolved 14 vulnerabilities, including three critical vulnerabilities in key products
  • CVE-2025-42880 (9.9) in SAP Solution Manager allows code injection and complete system compromise
  • CVE-2025-55754 (9.6) in Apache Tomcat and CVE-2025-42928 (9.1) in SAP jConnect allow remote code execution under certain circumstances

SAP has released the cumulative security update for December, which fixes fourteen vulnerabilities in different products. These include three critical bugs that need to be addressed immediately.

The full list of resolved vulnerabilities can be found at this link.

The most critical bug fixed this time is a code injection vulnerability discovered in SAP Solution Manager ST 720, a specific support stack for SAP Solution Manager 7.2 that provides updated tools for application lifecycle management, system monitoring and IT service management.

SAP Ecommerce Cloud is affected

The bug is tracked as CVE-2025-42880 and received a severity rating of 9.9/10 (Critical).

“Due to a lack of input verification, SAP Solution Manager allows an authenticated attacker to inject malicious code by calling a remotely activated function module,” the CVE dataset explains. “This can give the attacker complete control over the system and therefore has a significant impact on the confidentiality, integrity and availability of the system.”

The second most important bug is the insufficient neutralization of the control, meta, or escape sequence bug in Apache Tomcat that affects SAP Commerce Cloud components. It is registered as CVE-2025-55754 and has a severity rating of 9.6/10 (Critical).

“Tomcat did not escape ANSI escape sequences in log messages,” the CVE page said. “When Tomcat was run in a console on a Windows operating system and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and clipboard and attempt to trick an administrator into executing a command controlled by the attacker.”

The advisory also states that there are no known attack vectors, but it is possible to perform this attack on other operating systems.

The third reason is a deserialization bug in SAP jConnect that allows users with elevated privileges to execute malicious code remotely, but only if certain conditions are met. This bug is tracked as CVE-2025-42928 and received a severity rating of 9.1/10 (Critical).

IN BeepTeam