SAP launched 14 new safety notes on its month-to-month Safety Patch Day on December 9, 2025, addressing vulnerabilities throughout key merchandise, together with SAP Answer Supervisor, NetWeaver, Commerce Cloud, and extra.
Three crucial flaws with CVSS scores exceeding 9.0 demand speedy consideration from organizations working affected programs.
Probably the most extreme concern, tracked as CVE-2025-42880 with a CVSS v3.0 base rating of 9.9, entails a code injection vulnerability in SAP Answer Supervisor (ST 720).
Detailed in SAP Notice 3685270, attackers with low privileges may execute arbitrary code, doubtlessly compromising complete landscapes. Equally, CVE-2025-55754 impacts SAP Commerce Cloud variations HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21, stemming from a number of flaws in embedded Apache Tomcat, together with CVE-2025-55752 (SAP Notice 3683579).
One other crucial deserialization vulnerability, CVE-2025-42928, targets SAP jConnect SDK for ASE variations 16.0.4 and 16.1, enabling high-privileged customers to disrupt providers and knowledge integrity (SAP Notice 3685286).
These flaws spotlight persistent dangers in enterprise administration instruments and cloud elements, the place exploitation may result in distant code execution or full system compromise. SAP urges clients to prioritize patches through the Help Portal.
Excessive and Medium Precedence Fixes
Excessive-priority notes embrace CVE-2025-42878 (CVSS 8.2), exposing delicate knowledge in SAP Net Dispatcher and ICM throughout quite a few kernel variations (SAP Notice 3684682), and CVE-2025-42874 (CVSS 7.9), a DoS in SAP NetWeaver’s Xcelsius distant service (SAP Notice 3640185).
Further high-severity points cowl DoS in SAP Enterprise Objects (CVE-2025-48976, CVSS 7.5; Notice 3650226), reminiscence corruption in Net Dispatcher/ICM/Content material Server (CVE-2025-42877, CVSS 7.5; Notice 3677544), and lacking authorization in S/4HANA Non-public Cloud (CVE-2025-42876, CVSS 7.1; Notice 3672151).
Medium dangers embody lacking authentication in NetWeaver ICF (CVE-2025-42875, CVSS 6.6; Notice 3591163), information disclosure in ABAP Software Server (CVE-2025-42904, CVSS 6.5; Notice 3662324), XSS in NetWeaver Enterprise Portal (CVE-2025-42872, CVSS 6.1; Notice 3662622), DoS in SAPUI5 (CVE-2025-42873, CVSS 5.9; Notice 3676970), lacking auth in Enterprise Search (CVE-2025-42891, CVSS 5.5; Notice 3659117), and SSRF in BusinessObjects BI Platform (CVE-2025-42896, CVSS 5.4; Notice 3651390).
Notice #CVE IDProductVersions AffectedPriorityCVSS v3.03685270CVE-2025-42880SAP Answer ManagerST 720Critical9.93683579CVE-2025-55754SAP Commerce CloudHY_COM 2205, COM_CLOUD 2211, 2211-JDK21Critical9.63685286CVE-2025-42928SAP jConnect – SDK for ASE16.0.4, 16.1Critical9.13684682CVE-2025-42878SAP Net Dispatcher/ICMMultiple KRNL/WEBDISP/KERNELHigh8.23640185CVE-2025-42874SAP NetWeaver (Xcelsius)A number of BI 7.50High7.93650226CVE-2025-48976SAP Enterprise ObjectsENTERPRISE 430,2025,2027High7.53677544CVE-2025-42877Web Dispatcher/ICM/Content material ServerMultiple 7.53/7.54High7.53672151CVE-2025-42876S/4HANA Non-public Cloud (GL)S4CORE 104-109High7.13591163CVE-2025-42875NetWeaver ICFSAP_BASIS 700-758Medium6.63662324CVE-2025-42904Application Server ABAPMultiple KERNEL 7.53+Medium6.53662622CVE-2025-42872NetWeaver Enterprise PortalEP-RUNTIME 7.50Medium6.13676970CVE-2025-42873SAPUI5 (Markdown-it)SAP_UI 755-758Medium5.93659117CVE-2025-42891Enterprise Seek for ABAPSAP_BASIS 752-816Medium5.53651390CVE-2025-42896BusinessObjects BI PlatformENTERPRISE 430,2025,2027Medium5.4
Organizations ought to scan environments utilizing instruments like SAP EarlyWatch Alert or third-party scanners, take a look at patches in non-production, and apply them promptly to mitigate dangers from code injection, DoS, and knowledge publicity.
Failure to patch may expose mission-critical programs to exploitation amid rising SAP-targeted assaults.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
