SAP Patches Critical Vulnerabilities With December 2025 Security Updates

Enterprise software maker SAP on Tuesday announced the release of 14 new security notes as part of its December 2025 security patch day, including three that address critical-severity vulnerabilities.

The first of the critical notes resolves CVE-2025-42880 (CVSS score of 9.9), which is described as a code injection in Solution Manager.

Affecting a remote-enabled module of the product, the security defect exists because user input is improperly validated, allowing authenticated attackers to inject arbitrary code, SAP security firm Onapsis explains.

The risk posed by the CVE, Pathlock security analyst Jonathan Stross says, is heightened by the central role Solution Manager has within enterprise environments, where it acts as a central operations and administration hub connected to other SAP systems.

“In many SAP environments, it helps admins to manage updates and push software throughout the organization’s SAP landscape; therefore, it has many high-privileged users and provides critical access to ...