Enterprise software maker SAP on Tuesday announced the release of 14 new security notes as part of its December 2025 security patch day, including three that address critical-severity vulnerabilities.
The first of the critical notes resolves CVE-2025-42880 (CVSS score of 9.9), which is described as a code injection in Solution Manager.
Affecting a remote-enabled module of the product, the security defect exists because user input is improperly validated, allowing authenticated attackers to inject arbitrary code, SAP security firm Onapsis explains.
The risk posed by the CVE, Pathlock security analyst Jonathan Stross says, is heightened by the central role Solution Manager has within enterprise environments, where it acts as a central operations and administration hub connected to other SAP systems.
“In many SAP environments, it helps admins to manage updates and push software throughout the organization’s SAP landscape; therefore, it has many high-privileged users and provides critical access to other systems. This is why a successful exploitation of this vulnerability could potentially give an attacker administrative-level access to the entire SAP enterprise landscape,” Stross said.
The second critical note in SAP’s December 2025 advisory deals with two bugs in the Apache Tomcat server used in Commerce Cloud, and has a CVSS score of 9.6.
Tracked as CVE-2025-55754 and CVE-2025-55752, the flaws were publicly disclosed in October and addressed in Tomcat versions 11.0.11, 10.1.45, and 9.0.109. Both could be exploited for remote code execution (RCE).
The third critical note released on this month’s SAP security patch day resolves CVE-2025-42928 (CVSS score of 9.1), a deserialization issue in jConnect SDK for Sybase Adaptive Server Enterprise (ASE).
According to Onapsis, attackers could exploit the vulnerability by sending specially crafted input, leading to RCE.
SAP’s December 2025 advisory also includes five security notes with a priority rating of ‘high’, including two that address denial of service (DoS) bugs in NetWeaver and Business Objects.
The other three deal with an information leak issue in Web Dispatcher and Internet Communication Manager (ICM), a memory corruption bug in Web Dispatcher, ICM, and Content Server, and a missing authorization check flaw in SAP S/4 HANA Private Cloud.
The remaining six security notes resolve medium-severity defects in NetWeaver, Application Server ABAP, SAPUI5, Enterprise Search for ABAP, and BusinessObjects.
SAP makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to apply the patches as soon as possible.
Related: SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager
Related: SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM
Related: SAP Patches Critical NetWeaver Vulnerabilities
Related: Recent SAP S/4HANA Vulnerability Exploited in Attacks
