CVE-2025-42887 | Due to missing input sanitation, SAP Solution Manager allows… | CVSS 9.9 CRITICAL

Description

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.

Metadata

CVE ID: CVE-2025-42887
State: PUBLISHED
Assigner: sap
Reserved: 2025-04-16 13:25 UTC
Published: 2025-11-11 00:14 UTC
Last updated: 2025-11-12 20:11 UTC
Primary CWE: CWE-94
CWE-94: Improper Control of Generation of Code
Vendor / Product: SAP_SE / SAP Solution Manager
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
SAP_SE	SAP Solution Manager	—	ST 720

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94: Improper Control of Generation of Code

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (2)