CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SAP December 2025 Security Updates Address Three Critical Vulnerabilities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

SAP released December 2025 security updates fixing 14 vulnerabilities, including three critical flaws across multiple products. The most severe issue, CVE-2025-42880 (CVSS 9.9), is a code injection flaw in SAP Solution Manager ST 720, allowing authenticated attackers to execute malicious code and gain full system control. Another critical flaw, CVE-2025-55754 (CVSS 9.6), affects SAP Commerce Cloud components due to multiple Apache Tomcat vulnerabilities. The third critical flaw, CVE-2025-42928 (CVSS 9.1), is a deserialization vulnerability in SAP jConnect that could enable remote code execution under certain conditions. SAP solutions are widely used in enterprise environments, managing sensitive and high-value workloads, making them attractive targets for attackers. While none of the flaws are marked as actively exploited, administrators are urged to apply the fixes promptly.

Timeline

  1. 10.12.2025 00:41 1 articles · 5h ago

    SAP December 2025 Security Updates Address Three Critical Vulnerabilities

    SAP released December 2025 security updates fixing 14 vulnerabilities, including three critical flaws. The most severe issue, CVE-2025-42880, is a code injection flaw in SAP Solution Manager ST 720. Another critical flaw, CVE-2025-55754, affects SAP Commerce Cloud components due to multiple Apache Tomcat vulnerabilities. The third critical flaw, CVE-2025-42928, is a deserialization vulnerability in SAP jConnect. The updates also address five high-severity and six medium-severity flaws. While none of the vulnerabilities are marked as actively exploited, administrators are urged to apply the fixes promptly.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2025-42880 is a code injection flaw in SAP Solution Manager ST 720 with a CVSS score of 9.9, allowing authenticated attackers to execute malicious code and gain full system control.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • CVE-2025-55754 affects SAP Commerce Cloud components in versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21, with a CVSS score of 9.6, due to multiple Apache Tomcat vulnerabilities.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • CVE-2025-42928 is a deserialization vulnerability in SAP jConnect with a CVSS score of 9.1, potentially allowing remote code execution under certain conditions.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • SAP's December 2025 bulletin also includes fixes for five high-severity and six medium-severity flaws, including memory corruption, missing authentication checks, cross-site scripting, and information disclosure.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • SAP solutions manage sensitive and high-value workloads, making them valuable targets for attackers.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • None of the 14 flaws are marked as actively exploited in the wild, but administrators are advised to apply the fixes without delay.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources