Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Multiple SAP Products

10 December 2025

SAP has released security updates to address critical vulnerabilities in their SAP Solution Manager ST 720, SAP Commerce Cloud and SAP jConnect. Users and administrators of affected product versions are advised to update to the latest version immediately.

Background

SAP has released security updates to address critical vulnerabilities in their SAP Solution Manager (CVE-2025-42880), SAP Commerce Cloud (CVE-2025-55754) and SAP jConnect (CVE-2025-42928). CVE-2025-42880 has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.

Impact

Successful exploitation of the vulnerabilities could lead to the following:

  • CVE-2025-42880: Allow an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially providing the attacker with full control of the affected system

  • CVE-2025-55754: Allow an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command

  • CVE-2025-42928: Allow a high-privileged user to achieve remote code execution on the target via specially crafted input

Affected Products

The vulnerabilities affect the following product versions:

  • CVE-2025-42880: SAP Solution Manager ST 720

  • CVE-2025-55754: SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.

  • CVE-2025-42928: SAP jConnect versions SYBASE_SOFTWARE_DEVELOPER_KIT 16.0.4 and 16.1 

Mitigation

Users and administrators of affected products are advised to update the affected products to the latest version immediately.

References

https://www.bleepingcomputer.com/news/security/sap-fixes-three-critical-vulnerabilities-across-multiple-products/

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/bulletin-2025.html#:~:text=SAP%20Security%20Patch%20Day%20%2D%20December%202025

https://nvd.nist.gov/vuln/detail/CVE-2025-42880

https://nvd.nist.gov/vuln/detail/CVE-2025-55754

https://nvd.nist.gov/vuln/detail/CVE-2025-42928

Back to top