heise PlusAbo
Anzeige

SAP Patch Day: 14 Security Warnings at Year-End

For the last patch day of the year, SAP has released 14 security notes. Updates patch the associated vulnerabilities.

listen Print view
SAP logo next to "Warning" sign

(Image: heise medien)

3 min. read
Security
By

SAP has released 14 new security advisories for the last patch day of the year. These address partly critical security vulnerabilities in its business software. Admins should promptly apply the available updates.

The SAP overview lists the individual security notes and affected products. Three security flaws classified as critical risk stand out. Logged-in users can inject malicious code by calling a module with remote access enabled due to a lack of input filtering. This allows for complete takeover of affected SAP Solution Manager (CVE-2025-42880, CVSS 9.9, risk "critical"). The included Apache Tomcat server in SAP Commercial Cloud also contains several security vulnerabilities, some classified as critical risk (CVE-2025-55754, CVSS 9.6, risk "critical", and CVE-2025-55752, without its own CVSS rating). Furthermore, SAP warns that attackers with elevated privileges can exploit a deserialization vulnerability in SAP jConnect to execute arbitrary malicious code remotely (CVE-2025-42928, CVSS 9.1, risk "critical").

Overview of Security Notes

IT managers should check if they are using vulnerable products and install the updates promptly if necessary. The security notes in detail:

  • Code Injection vulnerability in SAP Solution Manager (CVE-2025-42880, CVSS 9.9, risk "critical")
  • Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud (CVE-2025-55754, CVSS 9.6, "critical", and CVE-2025-55752)
  • Deserialization Vulnerability in SAP jConnect - SDK for ASE (CVE-2025-42928, CVSS 9.1, "critical")
  • Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) (CVE-2025-42878, CVSS 8.2, "high")
  • Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) (CVE-2025-42874, CVSS 7.9, "high")
  • Denial of service (DOS) in SAP Business Objects (CVE-2025-48976, CVSS 7.5, "high")
  • Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and SAP Content Server (CVE-2025-42877, CVSS 7.5, "high")
  • Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) (CVE-2025-42876, CVSS 7.1, "high")
  • Missing Authentication check in SAP NetWeaver Internet Communication Framework (CVE-2025-42875, CVSS 6.6, "medium")
  • Information Disclosure vulnerability in Application Server ABAP (CVE-2025-42904, CVSS 6.5, "medium")
  • Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (CVE-2025-42872, CVSS 6.1, "medium")
  • Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) (CVE-2025-42873, CVSS 5.9, "medium")
  • Missing Authorization check in SAP Enterprise Search for ABAP (CVE-2025-42891, CVSS 5.5, "medium")
  • Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform (CVE-2025-42896, CVSS 5.4, "medium")

Videos by heise

SAP's November patch day brought 18 security advisories and corresponding patches to close security vulnerabilities for IT managers. Of these, two were classified as critical risk, and one even reached the maximum CVSS score of 10.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten