SAP has released its December 2025 Security Patch Day updates, addressing 14 new security notes that fix multiple critical and high‑severity vulnerabilities across key enterprise products.
Administrators are strongly advised to review the latest security notes in the SAP Support Portal and apply the patches without delay to protect their SAP environments.
The most serious issue this month is a code injection vulnerability in SAP Solution Manager (ST 720), tracked as CVE-2025-42880.
This flaw is rated Critical with a CVSS score of 9.9. It could allow an authenticated low‑privileged attacker to inject and execute arbitrary code in the affected system.
Successful exploitation can result in a complete compromise of confidentiality, integrity, and availability, making this patch a top priority for SAP Basis and security teams.
Another major update fixes multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud, tagged as CVE-2025-55754 and related CVE-2025-55752.
These affect HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211‑JDK21, and are rated Critical with a CVSS score of 9.6.
| CVE ID | Product / Component | Vulnerability Type | Priority | CVSS |
|---|---|---|---|---|
| CVE-2025-42880 | SAP Solution Manager (ST 720) | Code Injection | Critical | 9.9 |
| CVE-2025-55754 | SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211, 2211-JDK21) | Multiple vulnerabilities in Apache Tomcat | Critical | 9.6 |
| CVE-2025-42928 | SAP jConnect – SDK for ASE (16.0.4, 16.1) | Deserialization vulnerability | Critical | 9.1 |
| CVE-2025-42878 | SAP Web Dispatcher & Internet Communication Manager (ICM) | Sensitive Data Exposure | High | 8.2 |
| CVE-2025-42874 | SAP NetWeaver (remote service for Xcelsius) | Denial of Service (DoS) | High | 7.9 |
| CVE-2025-48976 | SAP Business Objects (ENTERPRISE 430, 2025, 2027) | Denial of Service (DoS) | High | 7.5 |
| CVE-2025-42877 | SAP Web Dispatcher, ICM & SAP Content Server | Memory Corruption | High | 7.5 |
| CVE-2025-42876 | SAP S/4HANA Private Cloud (Financials General Ledger) | Missing Authorization Check | High | 7.1 |
| CVE-2025-42875 | SAP NetWeaver Internet Communication Framework | Missing Authentication Check | Medium | 6.6 |
| CVE-2025-42904 | Application Server ABAP (Kernel) | Information Disclosure | Medium | 6.5 |
| CVE-2025-42872 | SAP NetWeaver Enterprise Portal (EP-RUNTIME 7.50) | Cross-Site Scripting (XSS) | Medium | 6.1 |
| CVE-2025-42873 | SAPUI5 framework (Markdown-it component) | Denial of Service (DoS) | Medium | 5.9 |
| CVE-2025-42891 | SAP Enterprise Search for ABAP | Missing Authorization Check | Medium | 5.5 |
| CVE-2025-42896 | SAP BusinessObjects BI Platform (ENTERPRISE 430, 2025, 2027) | Server-Side Request Forgery (SSRF) | Medium | 5.4 |
The flaws can be triggered remotely and may result in a significant impact on data and service availability if left unpatched.
SAP has also addressed a deserialization vulnerability in the SAP jConnect – SDK for ASE (CVE-2025-42928) with a Critical rating and CVSS score of 9.1.
Improper handling of serialized objects can be exploited to execute code in certain conditions, underscoring the need to update the development and integration environments using jConnect.
Several high‑severity vulnerabilities have been fixed in core infrastructure components.
A sensitive data exposure issue in SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878) and a memory corruption flaw in SAP Web Dispatcher, ICM, and SAP Content Server (CVE-2025-42877) can be exploited over the network.
Additional high‑priority notes cover denial‑of‑service vulnerabilities in SAP NetWeaver (remote service for Xcelsius) (CVE-2025-42874) and SAP Business Objects (CVE-2025-48976), as well as a missing authorization check in SAP S/4HANA Private Cloud Financials General Ledger (CVE-2025-42876).
Medium‑severity issues include missing authentication and authorization checks, information disclosure, cross‑site scripting (XSS), denial of service in the SAPUI5 Markdown‑it component, and server‑side request forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform.
While their CVSS scores are lower, these flaws still present real risk, particularly in complex, internet‑connected, or multi‑tenant landscapes.
SAP recommends that customers follow its published security hardening guidelines, regularly review security configuration baselines, and apply monthly patches.
Organizations should prioritize the critical and high‑severity notes, validate mitigations in test systems, and then roll out to production as part of a structured patch management process.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.