Enterprise software program maker SAP on Tuesday introduced the discharge of 14 new safety notes as a part of its December 2025 safety patch day, together with three that deal with critical-severity vulnerabilities.
The primary of the essential notes resolves CVE-2025-42880 (CVSS rating of 9.9), which is described as a code injection in Resolution Supervisor.
Affecting a remote-enabled module of the product, the safety defect exists as a result of person enter is wrongly validated, permitting authenticated attackers to inject arbitrary code, SAP safety agency Onapsis explains.
The chance posed by the CVE, Pathlock safety analyst Jonathan Stross says, is heightened by the central function Resolution Supervisor has inside enterprise environments, the place it acts as a central operations and administration hub related to different SAP programs.
“In lots of SAP environments, it helps admins to handle updates and push software program all through the group’s SAP panorama; due to this fact, it has many high-privileged customers and gives essential entry to different programs. This is the reason a profitable exploitation of this vulnerability may probably give an attacker administrative-level entry to your entire SAP enterprise panorama,” Stross mentioned.
The second essential be aware in SAP’s December 2025 advisory offers with two bugs within the Apache Tomcat server utilized in Commerce Cloud, and has a CVSS rating of 9.6.
Tracked as CVE-2025-55754 and CVE-2025-55752, the failings have been publicly disclosed in October and addressed in Tomcat variations 11.0.11, 10.1.45, and 9.0.109. Each could possibly be exploited for distant code execution (RCE).
The third essential be aware launched on this month’s SAP safety patch day resolves CVE-2025-42928 (CVSS rating of 9.1), a deserialization challenge in jConnect SDK for Sybase Adaptive Server Enterprise (ASE).
In accordance with Onapsis, attackers may exploit the vulnerability by sending specifically crafted enter, resulting in RCE.Commercial. Scroll to proceed studying.
SAP’s December 2025 advisory additionally consists of 5 safety notes with a precedence score of ‘excessive’, together with two that deal with denial of service (DoS) bugs in NetWeaver and Enterprise Objects.
The opposite three take care of an data leak challenge in Internet Dispatcher and Web Communication Supervisor (ICM), a reminiscence corruption bug in Internet Dispatcher, ICM, and Content material Server, and a lacking authorization examine flaw in SAP S/4 HANA Personal Cloud.
The remaining six safety notes resolve medium-severity defects in NetWeaver, Software Server ABAP, SAPUI5, Enterprise Seek for ABAP, and BusinessObjects.
SAP makes no point out of any of those vulnerabilities being exploited within the wild. Customers are suggested to use the patches as quickly as doable.
Associated: SAP Patches Essential Flaws in SQL Anyplace Monitor, Resolution Supervisor
Associated: SAP Patches Essential Vulnerabilities in NetWeaver, Print Service, SRM
Associated: SAP Patches Essential NetWeaver Vulnerabilities
Associated: Current SAP S/4HANA Vulnerability Exploited in Assaults
