By rssfeeds-admin 
Three critical flaws with CVSS scores exceeding 9.0 demand immediate attention from organizations running affected systems.
The most severe issue, tracked as CVE-2025-42880 with a CVSS v3.0 base score of 9.9, involves a code injection vulnerability in SAP Solution Manager (ST 720).
Detailed in SAP Note 3685270, attackers with low privileges could execute arbitrary code, potentially compromising entire landscapes. Similarly, CVE-2025-55754 affects SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21, stemming from multiple flaws in embedded Apache Tomcat, including CVE-2025-55752 (SAP Note 3683579).
Another critical deserialization vulnerability, CVE-2025-42928, targets SAP jConnect SDK for ASE versions 16.0.4 and 16.1, enabling high-privileged users to disrupt services and data integrity (SAP Note 3685286).
These flaws highlight persistent risks in enterprise management tools and cloud components, where exploitation could lead to remote code execution or full system compromise. SAP urges customers to prioritize patches via the Support Portal.
High and Medium Priority Fixes
High-priority notes include CVE-2025-42878 (CVSS 8.2), exposing sensitive data in SAP Web Dispatcher and ICM across numerous kernel versions (SAP Note 3684682), and CVE-2025-42874 (CVSS 7.9), a DoS in SAP NetWeaver’s Xcelsius remote service (SAP Note 3640185).
Additional high-severity issues cover DoS in SAP Business Objects (CVE-2025-48976, CVSS 7.5; Note 3650226), memory corruption in Web Dispatcher/ICM/Content Server (CVE-2025-42877, CVSS 7.5; Note 3677544), and missing authorization in S/4HANA Private Cloud (CVE-2025-42876, CVSS 7.1; Note 3672151).
Medium risks encompass missing authentication in NetWeaver ICF (CVE-2025-42875, CVSS 6.6; Note 3591163), info disclosure in ABAP Application Server (CVE-2025-42904, CVSS 6.5; Note 3662324), XSS in NetWeaver Enterprise Portal (CVE-2025-42872, CVSS 6.1; Note 3662622), DoS in SAPUI5 (CVE-2025-42873, CVSS 5.9; Note 3676970), missing auth in Enterprise Search (CVE-2025-42891, CVSS 5.5; Note 3659117), and SSRF in BusinessObjects BI Platform (CVE-2025-42896, CVSS 5.4; Note 3651390).
| Note # | CVE ID | Product | Versions Affected | Priority | CVSS v3.0 |
|---|---|---|---|---|---|
| 3685270 | CVE-2025-42880 | SAP Solution Manager | ST 720 | Critical | 9.9 |
| 3683579 | CVE-2025-55754 | SAP Commerce Cloud | HY_COM 2205, COM_CLOUD 2211, 2211-JDK21 | Critical | 9.6 |
| 3685286 | CVE-2025-42928 | SAP jConnect – SDK for ASE | 16.0.4, 16.1 | Critical | 9.1 |
| 3684682 | CVE-2025-42878 | SAP Web Dispatcher/ICM | Multiple KRNL/WEBDISP/KERNEL | High | 8.2 |
| 3640185 | CVE-2025-42874 | SAP NetWeaver (Xcelsius) | Multiple BI 7.50 | High | 7.9 |
| 3650226 | CVE-2025-48976 | SAP Business Objects | ENTERPRISE 430,2025,2027 | High | 7.5 |
| 3677544 | CVE-2025-42877 | Web Dispatcher/ICM/Content Server | Multiple 7.53/7.54 | High | 7.5 |
| 3672151 | CVE-2025-42876 | S/4HANA Private Cloud (GL) | S4CORE 104-109 | High | 7.1 |
| 3591163 | CVE-2025-42875 | NetWeaver ICF | SAP_BASIS 700-758 | Medium | 6.6 |
| 3662324 | CVE-2025-42904 | Application Server ABAP | Multiple KERNEL 7.53+ | Medium | 6.5 |
| 3662622 | CVE-2025-42872 | NetWeaver Enterprise Portal | EP-RUNTIME 7.50 | Medium | 6.1 |
| 3676970 | CVE-2025-42873 | SAPUI5 (Markdown-it) | SAP_UI 755-758 | Medium | 5.9 |
| 3659117 | CVE-2025-42891 | Enterprise Search for ABAP | SAP_BASIS 752-816 | Medium | 5.5 |
| 3651390 | CVE-2025-42896 | BusinessObjects BI Platform | ENTERPRISE 430,2025,2027 | Medium | 5.4 |
Organizations should scan environments using tools like SAP EarlyWatch Alert or third-party scanners, test patches in non-production, and apply them promptly to mitigate risks from code injection, DoS, and data exposure.
Failure to patch could expose mission-critical systems to exploitation amid rising SAP-targeted attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post SAP Security Patch Day: Fix for Critical Vulnerabilities in SAP Solution Manager, NetWeaver, and Other Products appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.