SAP Security Notes, December 2025
Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission Solution Manager (SolMan) installations. The end of maintenance for SolMan is scheduled for December 31, 2027. SolMan is no longer required for the Cybersecurity Extension for SAP.
Hot news note 3685286 addresses a critical deserialization vulnerability in SAP jConnect – SDK for ASE (CVE-2025-42928). The vulnerability can be exploited by attackers execute malicious code. The solution disables the serialization and deserialization of vulnerable input values in SAP jConnect for JDBC Driver. The note includes patches for SAP ASE versions 16.0 and 16.1.
Hot news note 3683579 delivers fixes for multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754 and CVE-2025-55752).
Note 3684682 addresses a high risk information disclosure vulnerability in the SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878). The vulnerability can lead to the exposure of internal testing interfaces that are not intended for production. The parameter icm/HTTP/icm_test_<x> should be removed from system profiles to mitigate the vulnerability. This includes DEFAULT and instance profiles.
Note 3677544 patches a memory corruption vulnerability in SAP Web Dispatcher, ICM and SAP Content Server (CVE-2025-42877).
Note 3640185 fixes a Denial of service (DOS) vulnerability in the remote service for Xcelsius in SAP NetWeaver (CVE-2025-42874). The service allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control.
Note 3672151 patches a missing authorization check impacting the General Ledger in the Financial module of SAP S/4HANA (CVE-2025-42876). The vulnerability could enable an attacker with access to a single company code to read sensitive data and post or modify documents across all company codes.