SAP Dec 2025 Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities
Summary : SAP released new security patch for December with 14 new security issues, impacting SAP Solution Manager, Commerce Cloud, Connect SDK, Web Dispatcher/ICM, NetWeave and related components. The patches target critical flaws that could enable remote code execution across SAP’s product ecosystem, posing significant risks to enterprises worldwide.
| OEM | SAP |
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-42880, CVE-2025-55754, CVE-2025-42928, CVE-2025-42878 & 10 more CVEs |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Critical and High severity flaws in SAP business software, includes remote code execution, code injection, DoS and other vulnerabilities. Organizations should prioritize to apply the patch to protect the SAP landscape. IT managers should check if they are using vulnerable products and install the updates promptly if necessary.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Code Injection vulnerability in SAP Solution Manager | CVE-2025-42880 | SAP Solution Manager | Critical | SAP Security notes Dec 2025 |
| Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud | CVE-2025-55754 | SAP Commerce Cloud | Critical | SAP Security notes Dec 2025 |
| Deserialization Vulnerability in SAP jConnect – SDK for ASE | CVE-2025-42928 | SAP jConnect – SDK for ASE | Critical | SAP Security notes Dec 2025 |
Technical Summary
Three Critical vulnerabilities enable remote code execution or code injection, allowing attackers to control core systems like Solution Manager, Commerce Cloud, and jConnect SDK.
High severity issues include information disclosure, denial of service, memory corruption, and authorization bypass affecting Web Dispatcher, NetWeaver, Business Objects, and S/4HANA. If the vulnerability left unpatched, organizations face risks including data exposure, unplanned downtime of BI and HTTP frontends, and unauthorized financial transactions.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-42880 | SAP Solution Manager (ST 720) | Low privileged user can inject and execute arbitrary code, potentially compromising the entire SolMan stack. | Full compromise of Solution Manager system |
| CVE-2025-55754 | SAP Commerce Cloud (embedded Apache Tomcat) | Multiple Tomcat flaws enable remote attackers to execute arbitrary code on servers | Complete takeover of Commerce Cloud nodes |
| CVE-2025-42928 | SAP jConnect SDK for ASE | Insecure deserialization allows crafted objects to trigger arbitrary code execution | Enables highimpact attacks against connected database apps |
Several other High to Medium severity issues affect SAP NetWeaver Internet Communication Framework, ABAP Application Server, SAPUI5, Enterprise Portal, Enterprise Search and Business Intelligence platforms. These include information disclosure, cross-site scripting, missing authentication/authorization checks, denial of service and SSRF vulnerabilities.
| Vulnerability Name | CVE ID | Severity |
| Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) | CVE-2025-42878 | High |
| Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) | CVE-2025-42874 | High |
| Denial of service (DOS) in SAP Business Objects | CVE-2025-48976 | High |
| Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and SAP Content Server | CVE-2025-42877 | High |
| Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) | CVE-2025-42876 | High |
| Missing Authentication check in SAP NetWeaver Internet Communication Framework | CVE-2025-42875 | Medium |
| Information Disclosure vulnerability in Application Server ABAP | CVE-2025-42904 | Medium |
| Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | CVE-2025-42872 | Medium |
| Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) | CVE-2025-42873 | Medium |
| Missing Authorization check in SAP Enterprise Search for ABAP | CVE-2025-42891 | Medium |
| Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform | CVE-2025-42896 | Medium |
Remediation:
Upgrade immediately to latest SAP security notes from December 2025 Patch Day.
If immediate upgrade is not feasible, here are some recommendations:
- Tighten network access to Web Dispatcher/ICM and NetWeaver services
- Add input validation to SAPUI5/Portal/BI components
- Monitor logs for crashes, unusual HTTP or any unusual activities
Conclusion:
The December 2025 SAP patches fix critical and high-risk flaws in major products like Solution Manager and Commerce Cloud.
These vulnerabilities could lead to remote code execution, service outages and data leaks. Applying these updates quickly to safeguard SAP systems and ensure business continuity. If not patched on time this could lead attackers to achieve cross-scope escalation and execute arbitrary code, disrupting critical business functions.
References: