Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

SAP Addresses Critical Vulnerabilities Across Multiple Products


SAP has released its December 2025 security updates, addressing 14 vulnerabilities across various products, including three critical-severity flaws. These patches are aimed at mitigating potential attacks on SAP solutions that are deeply embedded in enterprise environments and manage sensitive, high-value workloads.

  • SAP has released its December 2025 security updates addressing 14 vulnerabilities, including three critical-severity flaws.
  • The most severe vulnerability is CVE-2025-42880, a code injection problem impacting SAP Solution Manager ST 720 with a CVSS score of 9.9.
  • A second critical flaw (CVE-2025-55754) impacts SAP Commerce Cloud components with a CVSS severity rating of 9.6.
  • A third critical flaw (CVE-2025-42928) is a deserialization vulnerability impacting SAP jConnect with a CVSS score of 9.1.
  • Additionally, there are fixes for five high-severity flaws and six medium-severity issues.



    • SAP has recently released its December 2025 security updates, addressing a total of 14 vulnerabilities across various products, including three critical-severity flaws. These patches are aimed at mitigating potential attacks on SAP solutions that are deeply embedded in enterprise environments and manage sensitive, high-value workloads.

    The most severe vulnerability, with a CVSS score of 9.9, is CVE-2025-42880, a code injection problem impacting SAP Solution Manager ST 720. This flaw allows an authenticated attacker to insert malicious code when calling a remote-enabled function module, potentially leading to full control of the system and significant impact on confidentiality, integrity, and availability.

    SAP Solution Manager is the vendor's central lifecycle management and monitoring platform used by enterprises for system monitoring, technical configuration, incident and service desk, documentation hub, and test management. The fact that this vulnerability can be exploited due to missing input sanitation highlights the importance of robust security measures in place for such critical infrastructure components.

    The next most severe flaw SAP fixed concerns multiple Apache Tomcat vulnerabilities impacting SAP Commerce Cloud components in versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. This vulnerability is tracked under a single identifier, CVE-2025-55754, with a CVSS severity rating of 9.6.

    SAP Commerce Cloud is an enterprise-grade e-commerce platform backing large-scale online stores with product catalogs, pricing, promotions, checkout, order management, customer accounts, and ERP/CRM integration. Given its widespread use by large retailers and global brands, this vulnerability poses significant risks to organizations relying on the platform for their online commerce needs.

    The third critical (CVSS score: 9.1) flaw fixed this month is CVE-2025-42928, a deserialization vulnerability impacting SAP jConnect, which, under certain conditions, could allow a high-privileged user to achieve remote code execution on the target via specially crafted input.

    SAP jConnect is a JDBC driver used by developers and database administrators to connect Java applications to SAP ASE and SAP SQL Anywhere databases. This vulnerability underscores the need for robust security measures when connecting external systems to internal networks, as it could potentially be exploited by attackers seeking to execute malicious code on the target system.

    In addition to these critical vulnerabilities, SAP's December 2025 bulletin also lists fixes for five high-severity flaws and six medium-severity issues, including memory corruption, missing authentication and authorization checks, cross-site scripting, and information disclosure. While these vulnerabilities may not have the same level of severity as the three critical ones addressed in this release, they still pose significant risks to organizations that use SAP products.

    The fact that SAP has released its December 2025 security updates highlights the vendor's commitment to addressing vulnerabilities in a timely manner. Given the widespread use of SAP solutions across various industries, it is essential for organizations to keep their systems up-to-date with the latest security patches to minimize the risk of exploitation by attackers.

    Earlier this year, SecurityBridge researchers observed in-the-wild attacks abusing a code-injection flaw (CVE-2025-42957) impacting SAP S/4HANA, Business One, and NetWeaver deployments. While the recent vulnerabilities addressed by SAP do not appear to be directly related to these earlier attacks, they underscore the ongoing need for vigilance in monitoring and responding to security threats.

    In conclusion, SAP's December 2025 security updates address a total of 14 vulnerabilities across multiple products, including three critical-severity flaws. Organizations that rely on SAP solutions must prioritize deploying these patches as soon as possible to minimize the risk of exploitation by attackers.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/SAP-Addresses-Critical-Vulnerabilities-Across-Multiple-Products-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/sap-fixes-three-critical-vulnerabilities-across-multiple-products/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-42880

  • https://www.cvedetails.com/cve/CVE-2025-42880/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55754

  • https://www.cvedetails.com/cve/CVE-2025-55754/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-42928

  • https://www.cvedetails.com/cve/CVE-2025-42928/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-42957

  • https://www.cvedetails.com/cve/CVE-2025-42957/


    • Published: Tue Dec 9 16:52:05 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us