SAP Solution Manager ST 720 code injection security flaw (CVE-2025-42880)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-42880 is a code injection flaw in SAP Solution Manager ST 720 that could let an authenticated attacker gain full control of the system. SAP included the fix in its December 2025 security updates, underscoring the risk to enterprise management environments.
Related Happenings
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
SAP NetWeaver AS Java deserialization RCE (CVE-2025-42944)
Vulnerability
First: 15.10.2025 08:36
Last: 15.10.2025 08:36
Sources 1
About this happening:
**SAP NetWeaver AS Java** has a **CVE-2025-42944** insecure deserialization flaw that can let an **unauthenticated attacker** trigger **arbitrary OS command execution** through th...
SAP NetWeaver AS Java deserialization RCE (CVE-2025-42944)
VulnerabilityAbout this happening: **SAP NetWeaver AS Java** has a **CVE-2025-42944** insecure deserialization flaw that can let an **unauthenticated attacker** trigger **arbitrary OS command execution** through th...
SAP S/4HANA command injection flaw (CVE-2025-42957)
Vulnerability
First: 05.09.2025 13:59
Last: 05.09.2025 13:59
Sources 1
About this happening:
**SAP S/4HANA** is facing **active exploitation** of **CVE-2025-42957**, a **critical command injection flaw** that SAP **fixed last month**. The weakness affects **on-premise and...
SAP S/4HANA command injection flaw (CVE-2025-42957)
VulnerabilityAbout this happening: **SAP S/4HANA** is facing **active exploitation** of **CVE-2025-42957**, a **critical command injection flaw** that SAP **fixed last month**. The weakness affects **on-premise and...
Latest development: 05.09.2025 16:36
SecurityBridge discovers CVE-2025-42957 in SAP S/4HANA, reports the RFC-exposed ABAP code injection flaw to SAP, and helps develop a patch for affected systems.
Timeline
-
10.12.2025 00:41 2 articles · 5mo ago
SAP discloses CVE-2025-42880 in December 2025 updates
Initial DisclosureSAP released December 2025 security updates covering 14 vulnerabilities across multiple products and identified CVE-2025-42880 as a CVSS 9.9 code injection flaw in SAP Solution Manager ST 720. The issue stems from missing input sanitation in a remote-enabled function module, where an authenticated attacker could insert malicious code and gain full control of the system with high impact on confidentiality, integrity, and availability.
Show sources
- SAP fixes three critical vulnerabilities across multiple products — www.bleepingcomputer.com — 10.12.2025 00:41
- SAP fixes three critical vulnerabilities across multiple products — www.bleepingcomputer.com — 10.12.2025 00:41