SAP has launched its December security updates addressing 14 vulnerabilities throughout a spread of merchandise, together with three critical-severity flaws.
Probably the most extreme (CVSS rating: 9.9) of all the problems is CVE-2025-42880, a code injection downside impacting SAP Answer Supervisor ST 720.
“As a result of lacking enter sanitation, SAP Answer Supervisor permits an authenticated attacker to insert malicious code when calling a remote-enabled perform module,” reads the flaw’s description.
“This might present the attacker with full management of the system, therefore resulting in excessive influence on confidentiality, integrity, and availability of the system.”
SAP Answer Supervisor is the seller’s central lifecycle administration and monitoring platform utilized by enterprises for system monitoring, technical configuration, incident and repair desk, documentation hub, and check administration.
The following most extreme flaw SAP fastened this month considerations a number of Apache Tomcat vulnerabilities impacting SAP Commerce Cloud parts in variations HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.
The failings are tracked in SAP Commerce Cloud underneath a single identifier, CVE-2025-55754, given a CVSS severity score of 9.6.
SAP Commerce Cloud is an enterprise-grade e-commerce platform backing large-scale on-line shops with product catalogs, pricing, promotions, checkout, order administration, buyer accounts, and ERP/CRM integration. It’s usually utilized by giant retailers and world manufacturers.
The third crucial (CVSS rating: 9.1) flaw fastened this month is CVE-2025-42928, a deserialization vulnerability impacting SAP jConnect, which, underneath sure situations, may enable a high-privileged person to realize distant code execution on the goal by way of specifically crafted enter.
SAP jConnect is a JDBC driver utilized by builders and database directors to attach Java purposes to SAP ASE and SAP SQL Wherever databases.
SAP’s December 2025 bulletin additionally lists fixes for 5 high-severity flaws and 6 medium-severity points, together with reminiscence corruption, lacking authentication and authorization checks, cross-site scripting, and knowledge disclosure.
SAP options are deeply embedded in enterprise environments and handle delicate, high-value workloads, making them a worthwhile goal for attackers.
Earlier this yr, SecurityBridge researchers noticed in-the-wild assaults abusing a code-injection flaw (CVE-2025-42957) impacting SAP S/4HANA, Enterprise One, and NetWeaver deployments.
SAP has not marked any of the 14 flaws as actively exploited within the wild, however directors ought to deploy the fixes at once.
Damaged IAM is not simply an IT downside – the influence ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM seems to be like, and a easy guidelines for constructing a scalable technique.
