SAP has launched its December safety updates addressing 14 vulnerabilities throughout a spread of merchandise, together with three critical-severity flaws.
Probably the most extreme (CVSS rating: 9.9) of all the problems is CVE-2025-42880, a code injection drawback impacting SAP Resolution Supervisor ST 720.
“As a result of lacking enter sanitation, SAP Resolution Supervisor permits an authenticated attacker to insert malicious code when calling a remote-enabled operate module,” reads the flaw’s description.
“This might present the attacker with full management of the system, therefore resulting in excessive affect on confidentiality, integrity, and availability of the system.”
SAP Resolution Supervisor is the seller’s central lifecycle administration and monitoring platform utilized by enterprises for system monitoring, technical configuration, incident and repair desk, documentation hub, and check administration.
The following most extreme flaw SAP mounted this month issues a number of Apache Tomcat vulnerabilities impacting SAP Commerce Cloud elements in variations HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.
The failings are tracked in SAP Commerce Cloud below a single identifier, CVE-2025-55754, given a CVSS severity score of 9.6.
SAP Commerce Cloud is an enterprise-grade e-commerce platform backing large-scale on-line shops with product catalogs, pricing, promotions, checkout, order administration, buyer accounts, and ERP/CRM integration. It’s usually utilized by giant retailers and world manufacturers.
The third vital (CVSS rating: 9.1) flaw mounted this month is CVE-2025-42928, a deserialization vulnerability impacting SAP jConnect, which, below sure circumstances, might enable a high-privileged person to realize distant code execution on the goal by way of specifically crafted enter.
SAP jConnect is a JDBC driver utilized by builders and database directors to attach Java functions to SAP ASE and SAP SQL Anyplace databases.
SAP’s December 2025 bulletin additionally lists fixes for 5 high-severity flaws and 6 medium-severity points, together with reminiscence corruption, lacking authentication and authorization checks, cross-site scripting, and data disclosure.
SAP options are deeply embedded in enterprise environments and handle delicate, high-value workloads, making them a beneficial goal for attackers.
Earlier this yr, SecurityBridge researchers noticed in-the-wild assaults abusing a code-injection flaw (CVE-2025-42957) impacting SAP S/4HANA, Enterprise One, and NetWeaver deployments.
SAP has not marked any of the 14 flaws as actively exploited within the wild, however directors ought to deploy the fixes directly.
Damaged IAM is not simply an IT drawback – the affect ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM appears like, and a easy guidelines for constructing a scalable technique.
