Cyber Resilience

CVE-2025-42880

CriticalRCE

Published: 09 December 2025

Published
09 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 31.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42880 is a critical-severity Code Injection (CWE-94) vulnerability in Sap (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-42880 is a critical vulnerability in SAP Solution Manager stemming from missing input sanitation. It allows an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially granting full control over the affected system. The issue is classified under CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, changed scope, and high impact on confidentiality, integrity, and availability.

An authenticated attacker with low privileges can exploit this vulnerability remotely by invoking the affected remote-enabled function module with unsanitized input containing malicious code. Successful exploitation enables arbitrary code execution, leading to complete system compromise and severe impacts across confidentiality, integrity, and availability.

SAP addresses this vulnerability through security note 3685270 and inclusion in the SAP Security Patch Day, recommending application of the provided patches to mitigate the risk.

EU & UK References

Vulnerability details

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

more

integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability enables remote code execution by exploiting a remote-enabled function module (T1210: Exploitation of Remote Services) and escalates from low privileges to full system control (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2787Shared CWE-94
CVE-2025-48984Shared CWE-94
CVE-2026-25817Shared CWE-94
CVE-2026-24516Shared CWE-94
CVE-2025-42957Shared CWE-94
CVE-2025-42950Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2025-9334Shared CWE-94
CVE-2024-7425Shared CWE-94

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing input sanitation by requiring validation and sanitization of inputs to remote-enabled function modules, preventing code injection attacks.

prevent

Ensures timely remediation of the specific code injection flaw through application of vendor patches like SAP security note 3685270.

prevent

Restricts the types and quantity of inputs to remote function modules, mitigating malicious code insertion by authenticated attackers.

References