Alerts
Critical Vulnerabilities in Multiple SAP Products
10 December 2025
SAP has released security updates to address critical vulnerabilities in their SAP Solution Manager ST 720, SAP Commerce Cloud and SAP jConnect. Users and administrators of affected product versions are advised to update to the latest version immediately.
Background
SAP has released security updates to address critical vulnerabilities in their SAP Solution Manager (CVE-2025-42880), SAP Commerce Cloud (CVE-2025-55754) and SAP jConnect (CVE-2025-42928). CVE-2025-42880 has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
Impact
Successful exploitation of the vulnerabilities could lead to the following:
CVE-2025-42880: Allow an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially providing the attacker with full control of the affected system
CVE-2025-55754: Allow an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command
CVE-2025-42928: Allow a high-privileged user to achieve remote code execution on the target via specially crafted input
Affected Products
The vulnerabilities affect the following product versions:
CVE-2025-42880: SAP Solution Manager ST 720
CVE-2025-55754: SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.
CVE-2025-42928: SAP jConnect versions SYBASE_SOFTWARE_DEVELOPER_KIT 16.0.4 and 16.1
Mitigation
Users and administrators of affected products are advised to update the affected products to the latest version immediately.
References
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2025-42880