SAP December 2025 patch day fixes critical code Injection and multiple high-severity flaws
Take action: If you are running SAP products, review the advisory in detail. Prioritize patching SAP Solution Manager and Tomcat, as they have critical flaws. Then proceed to the other products and vulnerabilities.
Learn More
SAP released its December 2025 security update patching seventeen security vulnerabilities across its product portfolio. The release includes four HotNews Notes fixing five critical vulnerabilities and five High Priority Notes targeting significant security flaws.
Critical vulnerabilities
- CVE-2025-42880 (CVSS score 9.9) - Code injection vulnerability in SAP Solution Manager affecting version ST 720
- CVE-2025-42887 (CVSS score 9.9) - Code injection vulnerability in SAP Solution Manager, initially released in November and updated with additional correction instructions
- CVE-2025-55754 and CVE-2025-55752 (CVSS score 9.6) - Multiple vulnerabilities affecting Apache Tomcat version used by SAP Commerce Cloud across versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21
- CVE-2025-42928 (CVSS score 9.1) - Deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE) versions 16.0.4 and 16.1, enabling remote code execution through specially crafted input
High Priority security notes:
- CVE-2025-42878 (CVSS score 8.2) - Sensitive data exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) across multiple kernel versions, where vulnerable testing interfaces could be exploited by unauthenticated attackers
- CVE-2025-42877 (CVSS score 7.5) - Memory corruption vulnerabilities across SAP Web Dispatcher, Internet Communication Manager, and SAP Content Server in versions 7.53 and 7.54
- CVE-2025-42874 (CVSS score 7.9) - Denial of service vulnerability in SAP NetWeaver remote service for XCelsius affecting BI-BASE versions 7.50
- CVE-2025-48976 (CVSS score 7.5) - Denial of service vulnerability in SAP Business Objects versions ENTERPRISE 430, 2025, and 2027
- CVE-2025-42876 (CVSS score 7.1) - Missing authorization check in SAP S/4 HANA Private Cloud (Financials General Ledger) across S4CORE versions 104 through 109
Medium Priority vulnerabilities
- CVE-2025-42875 (CVSS score 6.6) - Missing authentication check in SAP NetWeaver Internet Communication Framework across multiple SAP_BASIS versions from 700 to 758
- CVE-2025-42904 (CVSS score 6.5) - Information disclosure vulnerability in Application Server ABAP affecting kernel versions 7.53 through 9.17
- CVE-2025-42872 (CVSS score 6.1) - Cross-site scripting vulnerability in SAP NetWeaver Enterprise Portal version EP-RUNTIME 7.50
- CVE-2025-42873 (CVSS score 5.9) - Denial of service in the SAPUI5 framework's Markdown-it component
- CVE-2025-42891 (CVSS score 5.5) - Missing authorization checks in SAP Enterprise Search for ABAP
- CVE-2025-42896 (CVSS score 5.4) - Server-side request forgery in SAP BusinessObjects Business Intelligence Platform
- CVE-2025-42961 (CVSS score 4.9) - Missing authorization in SAP NetWeaver Application Server for ABAP
- CVE-2025-42986 (CVSS score 4.3) - Missing authorization in SAP NetWeaver and ABAP Platform
SAP strongly recommends that customers immediately visit the SAP Support Portal and apply these security patches on priority. Highest priority are SAP Solution Manager and Tomcat.
