December’s SAP Security Patch Day is one of the most significant of 2025. SAP published 14 security notes, including 3 critical (HotNews) with a CVSS score above 9.0, 5 high-priority and 6 medium-priority notes. This article discusses each of them in detail.
🚨 CRITICAL (HotNews) - CVSS 9.0+
1. Code Injection in SAP Solution Manager (CVE-2025-42880)
SAP Note: 3685270 CVSS: 9.9/10 Component: SV-SMG-SVD-SWB
This is the most serious vulnerability of the month, and one of the most dangerous in recent times. The issue concerns a lack of input sanitisation in a remote-enabled function module within SAP Solution Manager.
What is the threat?
An authenticated attacker could inject malicious code during a call to the remote-enabled function module. Successful exploitation gives the attacker full control over the system, resulting in a critical impact on confidentiality, integrity and availability.
Attack vector (CVSS v3.0):
-
Attack Vector: Network - the attack is possible over the network
-
Attack Complexity: Low
-
Privileges Required: Low - low privileges are sufficient
-
User Interaction: None
-
Scope: Changed - impact on other components is possible
Resolution:
SAP has fixed the issue by adding input sanitisation code that rejects most non-alphanumeric characters. Organisations should implement the Correction Instructions or Support Packages indicated in the security note.
Workaround: None - implementing the fix is the only solution.
Why is this critical?
SAP Solution Manager is the central tool for managing an SAP landscape. Compromising this system could open the door to attacks on every SAP system it manages across the organisation.
2. Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754, CVE-2025-55752)
SAP Note: 3683579 CVSS: 9.6/10 Component: CEC-SCC-PLA-PL
SAP Commerce Cloud uses a version of Apache Tomcat containing two serious vulnerabilities.
CVE-2025-55754 - Console Manipulation
This vulnerability enables console manipulation attacks via specially crafted URLs. An attacker could exploit this flaw to manipulate displayed data or perform unauthorised operations.
CVE-2025-55752 - Relative Path Traversal
A classic path traversal vulnerability allowing access to files and directories outside the application’s intended scope.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None - no authentication required
-
User Interaction: Required
-
Scope: Changed
Resolution:
SAP Commerce Cloud requires an update to a version containing the corrected Apache Tomcat build:
-
SAP Commerce Cloud Patch Release 2205.45
-
SAP Commerce Cloud Update Release 2211.47
-
SAP Commerce Cloud Update Release 2211-jdk21.5
After installing the patch, the updated version of SAP Commerce Cloud must be rebuilt and redeployed.
Workaround: None.
3. Deserialization Vulnerability in SAP jConnect - SDK for ASE (CVE-2025-42928)
SAP Note: 3685286 CVSS: 9.1/10 Component: BC-SYB-SDK
A deserialisation vulnerability in SAP jConnect enables remote code execution (RCE).
What is the threat?
Under certain conditions, a user with high privileges could exploit the deserialisation flaw to trigger remote code execution. The system is vulnerable when specially crafted input is used to exploit the flaw.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Changed
Resolution:
SAP has disabled serialisation and deserialisation of vulnerable input values in SAP jConnect for JDBC Driver. The values that can be set for connection properties have also been restricted.
Update required to:
-
SDK FOR SAP ASE 16.0 SP04 PL08
-
SDK FOR SAP ASE 16.1 SP00 PL01 HF1
Workaround: None.
⚠️ HIGH PRIORITY - CVSS 7.0-8.9
4. Denial of Service (DoS) in SAP NetWeaver - remote service for Xcelsius (CVE-2025-42874)
SAP Note: 3640185 CVSS: 7.9/10 Component: BW-BEX-ET-XC
A vulnerability in the remote service for Xcelsius within SAP NetWeaver enables arbitrary code execution.
What is the threat?
An attacker with network access and high privileges could execute arbitrary code on the target system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorised control of the system.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: High
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: High
-
Availability Impact: High
Historical context:
It is worth noting that Xcelsius reached end of life on 31 December 2020, as it was built on Adobe Flash, which itself ended support on 12 January 2021. This fix removes the remote service required for Xcelsius entirely.
Resolution:
For SAP NetWeaver BI 7.50, the BI Java Patch must be imported. Detailed delivery information is available in Note 3539090.
Workaround: Available as a temporary measure - details in the manual activities section of the note. However, SAP strongly recommends implementing the full fix.
5. Sensitive Data Exposure in SAP Web Dispatcher and ICM (CVE-2025-42878)
SAP Note: 3684682 CVSS: 8.6/10 Component: BC-CST-IC
SAP Web Dispatcher and the Internet Communication Manager (ICM) may expose internal test interfaces that are not intended for production use.
What is the threat?
If the icm/HTTP/icm_test_ parameter is enabled, unauthenticated attackers could exploit it to:
-
Access diagnostic functions
-
Send crafted requests
-
Disrupt services
Scope of the vulnerability:
The vulnerability affects:
-
Standalone Web Dispatcher installations
-
Web Dispatcher within HANA Extended Application Services Classic and Advanced Model (XSC, XSA)
-
ICM within SAP NetWeaver Application Server ABAP and Java
Important: Web Dispatcher and ICM are only vulnerable if the icm/HTTP/icm_test_ parameter has been explicitly set in the configuration.
Resolution:
All icm/HTTP/icm_test_ parameters must be removed from the DEFAULT and instance profiles, followed by a restart of Web Dispatcher or the application server.
The parameter is vectorised - it may appear as icm/HTTP/icm_test_0, icm/HTTP/icm_test_1, and so on.
Workaround: None - removing the parameters is the only solution.
6. Denial of Service (DoS) in SAP Business Objects (CVE-2025-48976)
SAP Note: 3650226 CVSS: 7.5/10 Component: BI-BIP-CMC
A Denial of Service vulnerability in SAP Business Objects.
What is the threat?
An unauthenticated attacker could flood the service with requests due to improper handling of requests and resources. This results in legitimate users being denied access, long delays, or complete service disruption.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Confidentiality/Integrity Impact: None
-
Availability Impact: High
Resolution:
SAP has fixed the issue by updating the affected third-party components to secure versions, ensuring strengthened resource management and protection against uncontrolled resource consumption.
The patches listed in the “Support Packages & Patches” section of the security note should be implemented.
Workaround: None.
7. Memory Corruption in SAP Web Dispatcher, ICM and SAP Content Server (CVE-2025-42877)
SAP Note: 3677544 CVSS: 7.5/10 Component: BC-CST-IC
A memory corruption vulnerability in key components of the SAP infrastructure.
What is the threat?
An unauthenticated user could exploit logic errors leading to memory corruption. This could result in issues such as buffer overflow, heap overflow, memory leaks, dangling pointers or null pointer dereferences.
Scope of the vulnerability:
-
ICM within SAP NetWeaver Application Server ABAP and Java
-
SAP Web Dispatcher (standalone and embedded)
-
SAP Content Server
-
SAP HANA XSA (versions below 1.4.0)
Exclusions:
-
SAP Web Dispatcher within HANA XSC is not affected
-
SAP HANA XSA version 1.4.0 and above is not affected
Resolution:
The fix is delivered via:
-
SAPWEBDISP.SAR (for standalone Web Dispatcher)
-
dw.sar (hotfix)
-
SAPEXE.SAR and SAPEXEDB.SAR (SP Stack Kernel)
-
SAPCS.SAR (for SAP Content Server)
If Web Dispatcher is installed ahead of the SAP NetWeaver Application Server, both components must be patched.
Workaround: None.
8. Missing Authorization Check in SAP S/4HANA Private Cloud - Financials General Ledger (CVE-2025-42876)
SAP Note: 3672151 CVSS: 7.1/10 Component: FI-GL-GL-G
A serious authorisation control vulnerability in the S/4HANA financials module.
What is the threat?
An authenticated attacker with authorisation restricted to a single organisational unit (company code) could:
-
Read sensitive data across all organisational units
-
Post or modify documents across all organisational units
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Confidentiality Impact: High
-
Integrity Impact: Low
-
Availability Impact: None
Cause:
A change to the ECS logic introduced a programming error.
Resolution:
The affected functions have been corrected to properly check access restrictions. The Correction Instructions or Support Packages indicated in the note should be implemented.
Workaround: As a temporary measure, the changes described in the functional SAP note 3673002 can be implemented.
📋 MEDIUM PRIORITY - CVSS 4.0-6.9
9. Missing Authentication check in SAP NetWeaver Internet Communication Framework (CVE-2025-42875)
SAP Note: 3591163 CVSS: 6.6/10 Component: BC-MID-ICF
A vulnerability related to a lack of proper authentication in SAP ICF.
What is the threat?
The SAP Internet Communication Framework does not perform an authentication check for functions requiring user identification. An attacker with high privileges could reuse authorisation tokens, breaching secure authentication practices.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Changed
-
C/I/A Impact: Low/Low/Low
Resolution:
The fix ensures proper resetting of user identity. The Correction Instructions or Support Packages should be implemented.
Workaround: None.
10. Information Disclosure in Application Server ABAP (CVE-2025-42904)
SAP Note: 3662324 CVSS: 6.5/10 Component: BC-ABA-LI
An information disclosure vulnerability in AS ABAP.
What is the threat?
An authenticated attacker could read unmasked values displayed in ABAP lists. Successful exploitation results in unauthorised disclosure of data.
Cause:
The issue is a regression introduced by SAP note 3633999. If the kernel patch from that note was applied, masking in ABAP lists was always bypassed.
Who is affected?
-
If the kernel patch level is below the level in note 3633999 - you are not affected
-
If the kernel patch level matches note 3633999 and is below the level in this security note - you are affected
Resolution:
The fix restores masking in ABAP lists and reverses the regression. It applies to kernels: 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.17.
Workaround: None.
11. Cross-Site Scripting (XSS) in SAP NetWeaver Enterprise Portal (CVE-2025-42872)
SAP Note: 3662622 CVSS: 6.1/10 Component: EP-CON-SAP
A reflected XSS vulnerability in the SAP NetWeaver Enterprise Portal.
What is the threat?
An unauthenticated attacker could inject malicious scripts that execute in the context of other users’ browsers, enabling:
-
Theft of session cookies
-
Theft of tokens
-
Interception of other sensitive information
Cause:
URL parameters were not properly encoded.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Changed
-
Confidentiality/Integrity Impact: Low
-
Availability Impact: None
Resolution:
URL parameters are now properly encoded to prevent successful XSS attacks. The Support Packages and Patches indicated in the note should be implemented.
Workaround: None.
12. Denial of Service (DoS) in SAPUI5 framework - Markdown-it component (CVE-2025-42873)
SAP Note: 3676970 CVSS: 5.9/10 Component: CA-UI5-CTR-ROD
A DoS vulnerability in a component used by SAPUI5 and OpenUI5.
What is the threat?
SAPUI5 packages (and OpenUI5) use outdated third-party libraries with known vulnerabilities. When markdown-it encounters specially crafted, malformed input, it fails to terminate correctly, causing an infinite loop.
Effects:
-
High CPU consumption
-
Loss of system responsiveness
-
Blocked processing thread
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Confidentiality/Integrity Impact: None
-
Availability Impact: High
Resolution:
Update the markdown-it library to the latest version. Minimum patched SAPUI5 versions:
SAP_UI SAPUI5 Patch Level
755 - 1.84.56
756 - 1.96.44
757 - 1.108.47
758 - 1.120.37
816 - 1.136.9
Cloud - 1.139.1
For the SAPUI5 master codeline, the fix is available from version 1.141.0.
Workaround: Requires manual activities - see the note for details.
13. Missing Authorization check in SAP Enterprise Search for ABAP (CVE-2025-42891)
SAP Note: 3659117 CVSS: 5.5/10 Component: BC-EIM-ESH
Missing authorisation control in SAP Enterprise Search.
What is the threat?
An attacker with high privileges could read and export the contents of database tables into an ABAP report.
Attack vector (CVSS v3.0):
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Confidentiality Impact: High
-
Integrity Impact: Low
-
Availability Impact: None
Cause:
Missing authorisation control for access to specific database tables.
Resolution:
The fix removes the report content. The Correction Instructions or the relevant Support Packages & Patches should be implemented.
Workaround: None.
14. Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform (CVE-2025-42896)
SAP Note: 3651390 CVSS: 5.4/10 Component: BI-BIP-INV
An SSRF vulnerability in the SAP BusinessObjects BI platform.
What is the threat?
An unauthenticated remote attacker could send crafted requests via the URL parameter controlling the login page error message. This could cause the server to fetch attacker-supplied URLs.
Cause:
Insufficient validation of user-supplied input in the URL parameter.
Resolution:
The fix validates and sanitises the login page URL parameters to prevent unauthorised requests. The Support Packages indicated in the note should be implemented.
Information on the Business Intelligence Platform maintenance schedule is available in Knowledge Base Article 2144559.
Workaround: None.
#SAP #Cybersecurity #SecurityPatchDay #SAPSecurity #ITSecurity #SAPBasis #Vulnerabilities #PatchManagement #SNOK #SAPNetWeaver #S4HANA #SAPCommerce #InfoSec