CVE-2025-42880

CriticalRCE

Published: 09 December 2025

Published

09 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0013 31.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42880 is a critical-severity Code Injection (CWE-94) vulnerability in Sap (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the missing input sanitation by requiring validation and sanitization of inputs to remote-enabled function modules, preventing code injection attacks.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific code injection flaw through application of vendor patches like SAP security note 3685270.

SI-9 Information Input Restrictions good match

prevent

Restricts the types and quantity of inputs to remote function modules, mitigating malicious code insertion by authenticated attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote code execution by exploiting a remote-enabled function module (T1210: Exploitation of Remote Services) and escalates from low privileges to full system control (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

integrity and availability of the system.

Deeper analysisAI

CVE-2025-42880 is a critical vulnerability in SAP Solution Manager stemming from missing input sanitation. It allows an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially granting full control over the affected system. The issue is classified under CWE-94 (Code Injection) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, changed scope, and high impact on confidentiality, integrity, and availability.

An authenticated attacker with low privileges can exploit this vulnerability remotely by invoking the affected remote-enabled function module with unsanitized input containing malicious code. Successful exploitation enables arbitrary code execution, leading to complete system compromise and severe impacts across confidentiality, integrity, and availability.

SAP addresses this vulnerability through security note 3685270 and inclusion in the SAP Security Patch Day, recommending application of the provided patches to mitigate the risk.