- 263/2025
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, such as SAP NetWeaver (remote service for Xcelsius, Internet Communication Framework, Enterprise Portal, Application Server ABAP), SAP BusinessObjects Business Intelligence Platform, SAP Web Dispatcher and Internet Communication Manager (ICM), SAP S/4 HANA Private Cloud (Financials General Ledger), SAPUI5 framework (Markdown-it component), SAP Commerce Cloud, SAP jConnect – SDK for ASE, SAP Content Server, SAP Solution Manager.
The remote attacker could exploit some of these vulnerabilities to perform denial of service attacks, corrupt memory, conduct cross-site scripting and server-side request forgery attacks, obtain sensitive information, execute arbitrarycommands, and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. SAP Solution Manager Code Injection Vulnerability (CVE-2025-42880):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. SAP Web Dispatcher and Internet Communication Manager (ICM) Sensitive Data Exposure Vulnerability (CVE-2025-42878):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.