SAP Security Notes: December 2025 Patch Day
Two HotNews vulnerabilities in SAP Solution Manager and SAP jConnect SDK for ASE patched in collaboration with the Onapsis Research Labs
Highlights of December SAP Security Notes analysis include:
- December Summary – Seventeen new and updated SAP security patches released, including four HotNews Notes and five High Priority Notes
- SAP Solution Manager – Critical Code Injection vulnerability allows full compromise of the system
- Onapsis Research Labs Contribution – Our team supported SAP in patching five vulnerabilities, covered by two HotNews and two High Priority SAP Security Notes
SAP has published seventeen new and updated SAP Security Notes in its December Patch Day, including four HotNews Notes and five High Priority Notes. Four of the fourteen new SAP Security Notes were published in collaboration with the Onapsis Research Labs.
The HotNews Notes in Detail
The Onapsis Research Labs (ORL) supported SAP in patching two critical vulnerabilities in SAP Solution Manager and in SAP jConnect – SDK for ASE.
SAP Security Note #3685270, tagged with a CVSS score of 9.9, patches a Code Injection vulnerability in SAP Solution Manager. The ORL team identified a remote-enabled function module that allows an authenticated attacker to inject arbitrary code, leading to high impact on confidentiality, integrity and availability of the system. The vulnerability is patched by adding appropriate input sanitization to the affected function module. Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch.
The second HotNews Note that was released in collaboration with the ORL team is SAP Security Note #3685286, tagged with a CVSS score of 9.1. Our team was able to exploit a deserialization vulnerability in the SAP jConnect SDK for Sybase Adaptive Server Enterprise(ASE) to launch remote code execution by providing specially crafted input to the component. A successful exploit requires high privileges, preventing the vulnerability from being tagged with a CVSS score of 10.0.
SAP HotNews Note #3668705, tagged with a CVSS score of 9.9, was initially released on SAP’s November Patch Day and patches a Code Injection vulnerability in SAP Solution Manager. The note was updated with additional correction instructions.
The third new HotNews Note of SAP’s December Patch Day affects SAP Commerce Cloud customers. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to CVE-2025-55754 and CVE-2025-55752. SAP Security Note #3683579, tagged with a CVSS score of 9.6, provides corrections that include a patched version of Apache Tomcat. Keeping unpatched, customers pose the application’s confidentiality, integrity, and availability at high risk.
The High Priority Notes in Detail
The Onapsis Research Labs could also contribute to patching three High Priority vulnerabilities that were patched by SAP with two Security Notes.
SAP Security Note #3684682, tagged with a CVSS score of 8.2, disables some vulnerable interfaces in SAP Web Dispatcher and SAP Internet Communication Manager(ICM) that were only intended for testing purposes. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. As a quick workaround, customers can remove the generic profile parameters that expose the interfaces from the default and instance profiles.
SAP Security Note #3677544, tagged with a CVSS score of 7.5, patches Memory Corruption vulnerabilities in SAP Web Dispatcher, SAP Internet Communication Manager(ICM) and SAP Content Server. The ORL team detected that an unauthenticated user can exploit logical errors to cause memory corruption leading to a high negative impact on the application’s availability.
High Priority Note #3640185 is tagged with a CVSS score of 7.9 and patches a Denial of Service vulnerability in the SAP NetWeaver remote service for XCelsius. The patch removes the affected service since XCelsius support ended on December 31, 2020. If the service is not removed, an attacker with network access and high privileges can execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls.
SAP Security Note #3650226, tagged with a CVSS score of 7.5, addresses a Denial of Service vulnerability in SAP Business Objects. A third-party component used by the application allows an unauthenticated attacker to flood the service due to improper request and resource handling, preventing legitimate users from accessing it. The patch contains an updated version of the affected third-party component that is now protected against uncontrolled resource consumption.
SAP Security Note #3672151, tagged with a CVSS score of 7.1, patches a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud. The vulnerability allows an authenticated attacker with authorization limited to a single company code to read sensitive data and post or modify documents across all company codes.
Summary & Conclusions
With seventeen SAP Security Notes, including four HotNews Note and five High Priority Notes, SAP’s December Patch Day is another busy one. Two HotNews and two High Priority Notes were released in collaboration with the Onapsis Research Labs and thus, our team could once more significantly contribute to making SAP applications more secure.
| SAP Note | Type | Description | Priority | CVSS |
| 3668705 | Update | [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager SV-SMG-SVD-SWB | HotNews | 9.9 |
| 3685270 | New | [CVE-2025-42880] Code Injection vulnerability in SAP Solution Manager SV-SMG-SVD-SWB | HotNews | 9.9 |
| 3683579 | New | Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud CEC-SCC-PLA-PL | HotNews | 9.6 |
| 3685286 | New | [CVE-2025-42928] Deserialization Vulnerability in SAP jConnect – SDK for ASE BC-SYB-SDK | HotNews | 9.1 |
| 3684682 | New | [CVE-2025-42878] Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) BC-CST-IC | High | 8.2 |
| 3640185 | New | [CVE-2025-42874] Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) BW-BEX-ET-XC | High | 7.9 |
| 3650226 | New | [CVE-2025-48976] Denial of service (DOS) in SAP Business Objects BI-BIP-CMC | High | 7.5 |
| 3677544 | New | [CVE-2025-42877] Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and SAP Content Server BC-CST-IC | High | 7.5 |
| 3672151 | New | [CVE-2025-42876] Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) FI-GL-GL-G | High | 7.1 |
| 3591163 | New | [CVE-2025-42875] Missing Authentication check in SAP NetWeaver Internet Communication Framework BC-MID-ICF | Medium | 6.6 |
| 3662324 | New | [CVE-2025-42904] Information Disclosure vulnerability in Application Server ABAP BC-ABA-LI | Medium | 6.5 |
| 3662622 | New | [CVE-2025-42872] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal EP-CON-SAP | Medium | 6.1 |
| 3676970 | New | [CVE-2025-42873] Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) CA-UI5-CTR-ROD | Medium | 5.9 |
| 3659117 | New | [CVE-2025-42891] Missing Authorization check in SAP Enterprise Search for ABAP BC-EIM-ESH | Medium | 5.5 |
| 3651390 | New | [CVE-2025-42896] Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | Medium | 5.4 |
| 3610322 | Update | [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP BC-DB-DBI | Medium | 4.9 |
| 3626440 | Update | [CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform SV-SMG-SDD | Medium | 4.3 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Monthly Newsletter.
Frequently Asked Questions (FAQs)
What are the critical vulnerabilities in the December 2025 SAP Patch Day?
There are four HotNews Notes released this month, with the most critical being a Code Injection vulnerability in SAP Solution Manager (Note #3685270) carrying a CVSS score of 9.9. This flaw allows an authenticated attacker to inject arbitrary code, potentially leading to a full system compromise. Another major vulnerability affects the SAP jConnect SDK for ASE (Note #3685286), which allows for remote code execution via deserialization.
How many security notes were released in December 2025?
SAP released a total of seventeen new and updated security notes. This includes four HotNews notes (CVSS 9.0+) and five High Priority notes (CVSS 7.0-8.9), covering various components such as SAP Solution Manager, SAP Commerce Cloud, and SAP Web Dispatcher.
Which vulnerabilities did the Onapsis Research Labs contribute to?
The Onapsis Research Labs (ORL) helped SAP patch five vulnerabilities this month. These contributions cover two HotNews notes and two High Priority notes:
- HotNews #3685270: Code Injection in SAP Solution Manager.
- HotNews #3685286: Deserialization vulnerability in SAP jConnect SDK for ASE.
- High Priority #3684682: Sensitive data exposure in SAP Web Dispatcher and ICM.
- High Priority #3677544: Memory corruption in SAP Web Dispatcher, ICM, and Content Server.
What is the issue with SAP Commerce Cloud in the December patch?
SAP Commerce Cloud is affected by vulnerabilities in its embedded Apache Tomcat server (Note #3683579, CVSS 9.6). The issue involves CVE-2025-55754 and CVE-2025-55752, which could put the application’s confidentiality, integrity, and availability at high risk if left unpatched.
How do I fix the Denial of Service vulnerability in XCelsius (Note #3640185)?
The fix for the Denial of Service vulnerability in the SAP NetWeaver remote service for XCelsius (CVSS 7.9) is to remove the affected service entirely. Support for XCelsius ended on December 31, 2020, so the service should no longer be in use. Leaving it active allows attackers with high privileges to execute arbitrary code.
What workaround exists for the SAP Web Dispatcher vulnerability (Note #3684682)?
To mitigate the sensitive data exposure vulnerability in SAP Web Dispatcher and ICM (CVSS 8.2), customers can remove the generic profile parameters that expose vulnerable testing interfaces. These interfaces were intended for testing only and should be disabled in default and instance profiles to prevent unauthorized access.
Is there a patch for the SAP Business Objects Denial of Service flaw?
Yes, SAP Security Note #3650226 (CVSS 7.5) addresses a Denial of Service vulnerability in SAP Business Objects. The issue stems from a third-party component that improperly handles requests, allowing attackers to flood the service. The patch provides an updated version of the third-party component that prevents uncontrolled resource consumption.