CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

SAP Patches Critical Vulnerabilities With December 2025 Security Updates

Affecting Solution Manager, Commerce Cloud, and jConnect SDK, the bugs could lead to code injection and remote code execution. The post SAP Patches Critical Vulnerabilities With December 2025 Security Updates appeared first on SecurityWeek.

SAP vulnerabilities

Enterprise software maker SAP on Tuesday announced the release of 14 new security notes as part of its December 2025 security patch day, including three that address critical-severity vulnerabilities.

The first of the critical notes resolves CVE-2025-42880 (CVSS score of 9.9), which is described as a code injection in Solution Manager.

Affecting a remote-enabled module of the product, the security defect exists because user input is improperly validated, allowing authenticated attackers to inject arbitrary code, SAP security firm Onapsis explains.

The risk posed by the CVE, Pathlock security analyst Jonathan Stross says, is heightened by the central role Solution Manager has within enterprise environments, where it acts as a central operations and administration hub connected to other SAP systems.

“In many SAP environments, it helps admins to manage updates and push software throughout the organization’s SAP landscape; therefore, it has many high-privileged users and provides critical access to other systems. This is why a successful exploitation of this vulnerability could potentially give an attacker administrative-level access to the entire SAP enterprise landscape,” Stross said.

The second critical note in SAP’s December 2025 advisory deals with two bugs in the Apache Tomcat server used in Commerce Cloud, and has a CVSS score of 9.6.

Tracked as CVE-2025-55754 and CVE-2025-55752, the flaws were publicly disclosed in October and addressed in Tomcat versions 11.0.11, 10.1.45, and 9.0.109. Both could be exploited for remote code execution (RCE).

The third critical note released on this month’s SAP security patch day resolves CVE-2025-42928 (CVSS score of 9.1), a deserialization issue in jConnect SDK for Sybase Adaptive Server Enterprise (ASE).

According to Onapsis, attackers could exploit the vulnerability by sending specially crafted input, leading to RCE.

SAP’s December 2025 advisory also includes five security notes with a priority rating of ‘high’, including two that address denial of service (DoS) bugs in NetWeaver and Business Objects.

The other three deal with an information leak issue in Web Dispatcher and Internet Communication Manager (ICM), a memory corruption bug in Web Dispatcher, ICM, and Content Server, and a missing authorization check flaw in SAP S/4 HANA Private Cloud.

The remaining six security notes resolve medium-severity defects in NetWeaver, Application Server ABAP, SAPUI5, Enterprise Search for ABAP, and BusinessObjects.

SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the patches as soon as possible.

Related: SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager

Related: SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM

Related: SAP Patches Critical NetWeaver Vulnerabilities

Related: Recent SAP S/4HANA Vulnerability Exploited in Attacks

Latest News

CYBERNEWSMEDIAPublisher