SAP has released 14 new security notes on December 9, 2025, addressing vulnerabilities across key products such as SAP Solution Manager, NetWeaver, and Commerce Cloud. Among these, three critical flaws with CVSS scores exceeding 9.0 require immediate attention from organizations utilizing the affected systems.
Critical Vulnerabilities
The most severe issue, identified as CVE-2025-42880 with a CVSS v3.0 base score of 9.9, is a code injection vulnerability in SAP Solution Manager (ST 720). Detailed in SAP Note 3685270, this flaw allows attackers with low privileges to execute arbitrary code, potentially compromising entire landscapes.
Similarly, CVE-2025-55754 affects SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. This vulnerability arises from multiple flaws in the embedded Apache Tomcat, including CVE-2025-55752, as noted in SAP Note 3683579.
Another critical issue, CVE-2025-42928, is a deserialization vulnerability targeting SAP jConnect SDK for ASE versions 16.0.4 and 16.1. This flaw enables high-privileged users to disrupt services and compromise data integrity, as detailed in SAP Note 3685286.
These vulnerabilities underscore persistent risks in enterprise management tools and cloud components, where exploitation could lead to remote code execution or full system compromise. SAP urges customers to prioritize applying these patches via the Support Portal.
High and Medium Priority Fixes
In addition to the critical vulnerabilities, SAP has addressed several high and medium priority issues:
– CVE-2025-42878 (CVSS 8.2): This vulnerability exposes sensitive data in SAP Web Dispatcher and Internet Communication Manager (ICM) across numerous kernel versions. Refer to SAP Note 3684682 for details.
– CVE-2025-42874 (CVSS 7.9): A denial of service (DoS) vulnerability in SAP NetWeaver’s Xcelsius remote service. See SAP Note 3640185 for more information.
– CVE-2025-48976 (CVSS 7.5): A DoS vulnerability in SAP Business Objects. Details are available in SAP Note 3650226.
– CVE-2025-42877 (CVSS 7.5): Memory corruption vulnerability in SAP Web Dispatcher, ICM, and Content Server. Refer to SAP Note 3677544.
– CVE-2025-42876 (CVSS 7.1): Missing authorization check in SAP S/4HANA Private Cloud (Financials General Ledger). See SAP Note 3672151 for details.
Medium priority vulnerabilities include missing authentication checks, information disclosure issues, cross-site scripting (XSS) vulnerabilities, and server-side request forgery (SSRF) flaws across various SAP products. Organizations are advised to review the relevant SAP Notes and apply patches accordingly.
Recommendations for Organizations
To mitigate the risks associated with these vulnerabilities, organizations should:
1. Review and Prioritize Patches: Utilize tools like SAP EarlyWatch Alert or third-party scanners to identify affected systems. Test patches in non-production environments before deployment.
2. Apply Patches Promptly: Implement the patches as soon as possible to protect against potential exploits.
3. Monitor Systems: Continuously monitor systems for unusual activity that may indicate exploitation attempts.
4. Educate Staff: Ensure that IT and security teams are aware of these vulnerabilities and the importance of timely patching.
Failure to address these vulnerabilities promptly could expose mission-critical systems to significant risks, including data breaches and operational disruptions.
Conclusion
SAP’s December 2025 Security Patch Day highlights the ongoing need for vigilance in maintaining the security of enterprise systems. By promptly applying the provided patches and following best practices for system security, organizations can safeguard their SAP environments against potential threats.
