SAP Issues Critical Patches for Major Code Execution Flaws

SAP has released its December 2025 security updates, including several critical fixes for Solution Manager, Commerce Cloud, NetWeaver, and jConnect. 

Three flaws carry CVSS scores above 9.0 and could allow attackers to run arbitrary code or disrupt core business systems.

One of the vulnerabilities, CVE-2025-42880, “… allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” said SAP in its advisory.

What’s New in SAP’s Latest Security Updates

The release includes 14 new security notes and several high-priority updates, impacting organizations that rely on SAP for identity management, supply chain operations, analytics, and cloud-based commerce. 

The most severe vulnerabilities — spanning Solution Manager, Commerce Cloud, and jConnect SDK — could lead to full system compromise, remote code execution, or data corruption if left unpatched. 

The Key SAP Vulnerabilities

SAP’s December 2025 Patch Day addresses a broad set of critical, high-severity, and medium-severity vulnerabilities that pose significant risks across interconnected SAP landscapes. 

The most severe issue (CVE-2025-42880) is a critical code-injection flaw in SAP Solution Manager ST 720 caused by improper input handling. 

Attackers with minimal privileges could exploit this weakness to inject and execute arbitrary code, escalate their access, and move laterally across dependent SAP systems.

Another vulnerability, CVE-2025-55754, affects SAP Commerce Cloud deployments running specific HY_COM and COM_CLOUD versions. 

Stemming from Apache Tomcat vulnerabilities, the flaw exposes organizations to potential remote code execution and operational disruption across online commerce environments that rely heavily on real-time transactions. 

A third critical issue, CVE-2025-42928, impacts SAP jConnect SDK for ASE 16.0.4 and 16.1, where unsafe deserialization allows high-privileged attackers to manipulate serialized objects, corrupt internal data structures, and compromise application integrity. 

Collectively, these critical vulnerabilities illustrate how the tight integration of SAP components can amplify the impact of a single exploit, allowing attackers to chain weaknesses together for a far broader and more damaging compromise. 

Beyond the critical issues, SAP also resolved several high-severity flaws that meaningfully expand the attack surface if left unpatched. 

CVE-2025-42878 can expose sensitive data in Web Dispatcher and ICM through misconfigurations.

CVE-2025-42874 is a denial-of-service vulnerability affecting SAP NetWeaver Xcelsius.

CVE-2025-48976 introduces a DoS risk in SAP BusinessObjects Enterprise.

CVE-2025-42877 involves memory corruption within Web Dispatcher, ICM, and Content Server.

CVE-2025-42876 is caused by missing authorization checks in S/4HANA Private Cloud.

The security bulletin also includes medium-severity updates that address authentication bypasses, XSS flaws, SSRF, information disclosure, and additional DoS risks. 

These issues affect components such as SAP NetWeaver, the ABAP Application Server, SAPUI5, Enterprise Search, and the BusinessObjects BI platform.

How to reduce SAP exploitation risks

The following recommendations help reduce successful exploitation of the vulnerabilities.  

• Apply all critical SAP patches as soon as possible.
• Test updates in non-production environments and enforce strict change management before deploying to live systems.
• Harden access by restricting administrative interfaces, enforcing MFA, tightening authorization profiles, and removing unused roles.
• Segment SAP environments, apply strict firewall rules, and use virtual patching tools such as WAF or IPS to block exploit attempts.
• Enhance monitoring by enabling extended SAP logging, integrating telemetry into SIEM, and watching for abnormal process or configuration activity.
• Secure underlying infrastructure and third-party integrations by updating OS components, validating kernel and database versions, and auditing connectors or custom code.
• Strengthen cyber resilience through regular, immutable backups, credential rotation, and maintaining SAP-specific incident response playbooks.

A defense-in-depth approach helps build long-term resilience.

As SAP systems become more deeply integrated with cloud services, identity providers, and automated supply chain platforms, vulnerabilities within any of these interconnected components can create ripple effects across the entire organization. 

These growing interdependencies show the need for security controls that limit implicit trust, aligning with the principles of zero-trust.