Executive Summary
SAP released a set of security notes for December addressing vulnerabilities across Solution Manager, SAP jConnect, Commerce Cloud (Apache Tomcat), S/4HANA, Web Dispatcher/ICM, BI Java, SAPUI5, ABAP Kernel, Enterprise Portal, BusinessObjects, and other components.
Four vulnerabilities fall in the Critical range (CVSS 9.0+), and five are ranked as High-Priority (CVSS 7.0-8.9). Additional medium‑severity notes include multiple denial‑of‑service conditions, information disclosure flaws, SSRF, XSS, kernel regressions, and missing authorization checks.
Critical Vulnerabilities to Prioritize
3685270 / CVE‑2025‑42880. SAP Solution Manager: Code Injection
The Solution Manager sits at the center of most SAP landscapes and acts as a central operations and administration hub connected via trusted channels to other systems. In many SAP environments it manages updates and coordinates Support Packages, therefore it has many high-privileged users and critical access to other systems. This is why a successful exploitation of this vulnerability could potentially give an attacker administrative-level access to the entire SAP enterprise landscape.
A remote-enabled function module allows malicious code injection due to missing input sanitation.
| Priority | CVSS | Action |
|---|---|---|
| Critical | 9.9 | To protect yourself against this threat, implement the correction instructions or the referenced Support Packages. The fix adds input sanitation that rejects non-alphanumeric patterns and blocks the injection vector. |
3685286 / CVE‑2025‑42928. SAP jConnect: Deserialization RCE
jConnect is the JDBC driver layer that many Java components use to talk to SAP ASE. When deserialization in that layer is not handled, it quickly becomes a remote code execution opportunity for anyone who can control serialized input.
The updated versions disable vulnerable serialization/deserialization paths and restrict the connection property that can be abused for RCE.
| Priority | CVSS | Action |
|---|---|---|
| Critical | 9.1 | Update to ASE SDK 16.0 SP04 PL08 or 16.1 SP00 PL01 HF1. |
3683579 / CVE-2025-55754 and CVE-2025-55752. Multiple Tomcat Vulnerabilities in SAP Commerce Cloud
SAP Commerce Cloud ships with Apache Tomcat, and this note addresses a Tomcat baseline that pulls in multiple high-impact CVEs, such as the vulnerability to console manipulation and path traversal. SAP Commerce Cloud is an e-commerce platform used for product catalogs, online storefronts, customer interaction and order processing.
If you don’t patch the vulnerable Tomcat version used by SAP Commerce Cloud, attackers may be able to read sensitive system files, including configuration files, server logs, or even the application files you have deployed. In other words, unpatched Tomcat can expose internal data and code that should remain private.
| Priority | CVSS | Action |
|---|---|---|
| Critical | 9.6 | To address this threat, update to patch releases 2205.45, 2211.47, or 2211‑jdk21.5. After patching, rebuild and redeploy the Commerce Cloud application as per SAP’s build/deploy guidance. |
High‑Priority Notes (Medium CVSS, High Operational Relevance)
3672151 / CVE‑2025‑42876. S/4HANA Financials GL: Missing Authorization Check
An authorization misconfiguration allowed users with limited authorization to read and post documents across company codes.
| Priority | CVSS | Action |
|---|---|---|
| High | 7.1 | Implement correction instructions or Support Packages. |
3684682 / CVE‑2025‑42878. SAP Web Dispatcher & ICM: Sensitive Data Exposure
Enabling internal icm/HTTP/icm_test_ parameters exposed diagnostic interfaces.
| Priority | CVSS | Action |
|---|---|---|
| High | 8.2 | Remove all icm_test parameters and restart impacted components. |
3677544 / CVE‑2025‑42877. Web Dispatcher, ICM, Content Server: Memory Corruption
Logical memory handling errors enabled unauthenticated attackers to trigger memory corruption.
| Priority | CVSS | Action |
|---|---|---|
| High | 7.5 | Update kernel, Web Dispatcher and Content Server. |
3650226 / CVE‑2025‑48976. SAP BusinessObjects DoS
Improper resource management allowed unauthenticated attackers denial‑of‑service.
| Priority | CVSS | Action |
|---|---|---|
| High | 7.5 | Updated third party components remediate the issue. |
3640185 / CVE‑2025‑42874. SAP NetWeaver BI Java / Xcelsius
A remote service for Xcelsius allowed arbitrary code execution.
| Priority | CVSS | Action |
|---|---|---|
| High | 7.9 | The fix removes the vulnerable remote service entirely. |
Medium Severity Notes
| SAP Note / CVE ID | Vulnerability Name | CVSS | Description / Impact | Remediation / Fix |
|---|---|---|---|---|
| 3676970 / CVE‑2025‑42873 | SAPUI5 Markdown‑it DoS | 5.9 | Malformed markdown input triggered infinite loops. | Update SAPUI5 to fixed patch levels. |
| 3662324 / CVE‑2025‑42904 | ABAP Kernel Information Disclosure | 6.5 | A regression caused ABAP List masking to fail. | Kernel update restores masking. |
| 3662622 / CVE‑2025‑42872 | Enterprise Portal XSS | 6.1 | Missing URL encoding allowed reflected XSS. | Apply fix for proper URL encoding. |
| 3659117 / CVE‑2025‑42891 | Enterprise Search Missing Authorization | 5.5 | High‑privileged users could export DB table contents. | Authorization checks restored. |
| 3651390 / CVE‑2025‑42896 | BusinessObjects SSRF | 5.4 | Login error‑handling parameters enabled SSRF. | Input validation applied. |
| 3591163 / CVE‑2025‑42875 | ICF Authentication Reset Failure | 6.6 | User identity was not reset correctly under certain flows, allowing token reuse. | Apply Correction to ensure proper identity reset. |
Operational Guidance
- Prioritize Criticals, afterwards move to the higher-priority notes (especially for Web Dispatcher and ICM), then applicable medium vulnerabilities.
- Update kernels, Web Dispatcher, and ICM together where required.
- Remove icm_test parameters immediately if present.
- Apply strict network ACLs for jConnect, SolMan RFC interfaces, Commerce Cloud admin endpoints.
Closing Thoughts
The overall message: December is about closing RCE paths, cleaning up legacy endpoints, and removing unsafe defaults before they are abused. Applying patches promptly reduces exposure to remote attacks, data leakage, and denial‑of‑service conditions.
