10.12.2025
2 min
376
SAP has released its December security updates, addressing 14 vulnerabilities, including three critical flaws with CVSS scores of up to 9.9. The most severe issues allow remote code execution and full system compromise, posing a major risk to enterprise environments.
The most critical flaw, CVE-2025-42880 (CVSS 9.9), affects SAP Solution Manager ST 720. Due to missing input validation, an authenticated attacker can inject malicious code when invoking a remotely accessible function module. Successful exploitation can lead to complete system takeover, impacting confidentiality, integrity, and availability.
The second critical issue, CVE-2025-55754 (CVSS 9.6), aggregates multiple Apache Tomcat vulnerabilities impacting SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21). As the platform underpins large enterprise e-commerce operations, the potential impact is significant.
The third critical vulnerability, CVE-2025-42928 (CVSS 9.1), is a deserialization flaw in SAP jConnect that, under certain conditions, allows a highly privileged user to achieve remote code execution using specially crafted inputs.
Beyond the critical flaws, SAP also fixed five high-severity and six medium-severity issues, including memory corruption, missing authentication and authorization checks, cross-site scripting, and information disclosure bugs. Earlier this year, researchers observed real-world exploitation of SAP vulnerabilities affecting S/4HANA and NetWeaver systems, reinforcing SAP’s status as a high-value target.
SAP stated that none of the 14 vulnerabilities are currently known to be actively exploited, but urges administrators to apply patches immediately.
This update highlights a persistent reality: SAP platforms run mission-critical workloads, and delayed patching can quickly escalate into full enterprise compromise. Rapid deployment of security updates remains essential for risk mitigation.
