Security Alert: SAP Resolves Three High-Risk Vulnerabilities in Multiple Products

SAP Addresses Critical Security Vulnerabilities in December Updates

With the release of its December security updates, SAP has taken action to resolve 14 vulnerabilities present in various products. Among these vulnerabilities are three critical-severity flaws that have been identified and addressed by SAP.

One of the most severe vulnerabilities, with a CVSS score of 9.9, is CVE-2025-42880. This flaw involves a code injection issue affecting SAP Solution Manager ST 720. The vulnerability allows an authenticated attacker to insert malicious code through a remote-enabled function module, potentially leading to a complete system takeover and posing significant risks to system confidentiality, integrity, and availability.

SAP Solution Manager serves as a central lifecycle management and monitoring platform for enterprises, offering functionalities such as system monitoring, technical configuration, incident and service desk, documentation hub, and test management.

The next critical flaw addressed by SAP in its December updates pertains to multiple Apache Tomcat vulnerabilities impacting SAP Commerce Cloud components in versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21. This vulnerability, assigned CVE-2025-55754 with a CVSS severity rating of 9.6, poses significant risks to the security of SAP Commerce Cloud.

SAP Commerce Cloud is a robust e-commerce platform utilized by large retailers and global brands to manage online stores, product catalogs, pricing, promotions, checkout processes, order management, customer accounts, and ERP/CRM integration.

The third critical vulnerability addressed by SAP in December is CVE-2025-42928, a deserialization flaw affecting SAP jConnect. This vulnerability could potentially allow a high-privileged user to execute remote code on the target system under specific conditions.

SAP jConnect serves as a JDBC driver for connecting Java applications to SAP ASE and SAP SQL Anywhere databases, commonly used by developers and database administrators.

Aside from these critical vulnerabilities, SAP’s December 2025 bulletin also includes fixes for five high-severity flaws and six medium-severity issues, encompassing various security concerns such as memory corruption, authentication and authorization checks, cross-site scripting, and information disclosure.

Given the critical role that SAP solutions play in enterprise environments and their management of sensitive data and workloads, they remain a prime target for potential cyber attacks. Earlier this year, SecurityBridge researchers uncovered real-world attacks exploiting a code injection flaw (CVE-2025-42957) affecting SAP S/4HANA, Business One, and NetWeaver deployments.

While SAP has not identified any of the 14 vulnerabilities as actively exploited in the wild, administrators are strongly advised to implement the necessary fixes promptly to mitigate potential risks.

Understanding the Impact of Broken IAM on Business Operations

Issues with Identity and Access Management (IAM) transcend mere IT concerns and can have far-reaching consequences for businesses as a whole.

This comprehensive guide delves into the shortcomings of traditional IAM practices in meeting modern demands, provides examples of effective IAM strategies, and offers a practical checklist for devising a scalable IAM approach.

Get the guide