SAP has launched its December safety updates addressing 14 vulnerabilities throughout a spread of merchandise, together with three critical-severity flaws.
Essentially the most extreme (CVSS rating: 9.9) of all the problems is CVE-2025-42880, a code injection drawback impacting SAP Answer Supervisor ST 720.
“Resulting from lacking enter sanitation, SAP Answer Supervisor permits an authenticated attacker to insert malicious code when calling a remote-enabled operate module,” reads the flaw’s description.
“This might present the attacker with full management of the system, therefore resulting in excessive impression on confidentiality, integrity, and availability of the system.”
SAP Answer Supervisor is the seller’s central lifecycle administration and monitoring platform utilized by enterprises for system monitoring, technical configuration, incident and repair desk, documentation hub, and check administration.
The subsequent most extreme flaw SAP fastened this month considerations a number of Apache Tomcat vulnerabilities impacting SAP Commerce Cloud elements in variations HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.
The failings are tracked in SAP Commerce Cloud beneath a single identifier, CVE-2025-55754, given a CVSS severity ranking of 9.6.
SAP Commerce Cloud is an enterprise-grade e-commerce platform backing large-scale on-line shops with product catalogs, pricing, promotions, checkout, order administration, buyer accounts, and ERP/CRM integration. It’s typically utilized by massive retailers and international manufacturers.
The third important (CVSS rating: 9.1) flaw fastened this month is CVE-2025-42928, a deserialization vulnerability impacting SAP jConnect, which, beneath sure situations, might enable a high-privileged consumer to realize distant code execution on the goal through specifically crafted enter.
SAP jConnect is a JDBC driver utilized by builders and database directors to attach Java purposes to SAP ASE and SAP SQL Anyplace databases.
SAP’s December 2025 bulletin additionally lists fixes for 5 high-severity flaws and 6 medium-severity points, together with reminiscence corruption, lacking authentication and authorization checks, cross-site scripting, and knowledge disclosure.
SAP options are deeply embedded in enterprise environments and handle delicate, high-value workloads, making them a precious goal for attackers.
Earlier this 12 months, SecurityBridge researchers noticed in-the-wild assaults abusing a code-injection flaw (CVE-2025-42957) impacting SAP S/4HANA, Enterprise One, and NetWeaver deployments.
SAP has not marked any of the 14 flaws as actively exploited within the wild, however directors ought to deploy the fixes immediately.
Damaged IAM is not simply an IT drawback – the impression ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM appears to be like like, and a easy guidelines for constructing a scalable technique.
