CVE-2025-42880

Critical

Published: 09 December 2025

Published

09 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

integrity and availability of the system.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the missing input sanitation by requiring validation and sanitization of inputs to remote-enabled function modules, preventing code injection attacks.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific code injection flaw through application of vendor patches like SAP security note 3685270.

SI-9 Information Input Restrictions good match

prevent

Restricts the types and quantity of inputs to remote function modules, mitigating malicious code insertion by authenticated attackers.

Security SummaryAI

CVE-2025-42880 is a critical vulnerability in SAP Solution Manager stemming from missing input sanitation. It allows an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially granting full control over the affected system. The issue is classified under CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, changed scope, and high impact on confidentiality, integrity, and availability.

An authenticated attacker with low privileges can exploit this vulnerability remotely by invoking the affected remote-enabled function module with unsanitized input containing malicious code. Successful exploitation enables arbitrary code execution, leading to complete system compromise and severe impacts across confidentiality, integrity, and availability.

SAP addresses this vulnerability through security note 3685270 and inclusion in the SAP Security Patch Day, recommending application of the provided patches to mitigate the risk.

Details

CWE(s): CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote code execution by exploiting a remote-enabled function module (T1210: Exploitation of Remote Services) and escalates from low privileges to full system control (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://me.sap.com/notes/3685270
cna@sap.com
https://url.sap/sapsecuritypatchday
cna@sap.com