SAP Security Patch Day – December 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
With December’s SAP Security Patch Day – the final one of the year – SAP published 17 Security Notes, including updates to previously released notes. Even as we close out the year, there’s no slowdown in SAP security: the number of patches remains consistently high, and so does the imperative to apply them promptly to reduce exposure from known vulnerabilities.
Today’s landscapes change fast – spanning on-premise, cloud, and hybrid setups – and effective patch management is not as easy as “just patch.” Because of the complex nature and various components in the landscape, patching is often a tedious, time-consuming process, where applicable patches can be easily missed. At SecurityBridge, we understand the difficulties of patch management in the SAP landscape like no other. Our SecurityBridge Patch Management for SAP solution greatly helps to identify missing patches in your SAP landscape, providing clear visibility, impact analysis, and automated implementation. With a system-wide overview, the solution drastically shortens the time to implement missing patches and monitor threats in real time, safeguarding your SAP landscape against emerging threats.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain. Looking back at 2025, we are proud to see our contributions recognized every single month. This underlines our commitment to discovering new vulnerabilities, which we responsibly disclose and help resolve in close collaboration with SAP.
For this month’s release, our latest discoveries are:
- Medium priority: note 3659117 – [CVE-2025-42891] Missing Authorization check in SAP Enterprise Search for ABAP
Security notes - December 2025
HotNews
Let’s start with HotNews, the highest-priority category. There are four notes in total — three newly released today and one update.
Remember our previous HotNews find 3668705? It was released last month and has been re-released with updated correction instructions. The risk profile is identical — authenticated low‑privilege attackers can inject code via a remote‑enabled function — so apply the refreshed instructions immediately if required. (CVSS 9.9).
Which brings us to note 3685270, which is a vulnerability that is closely linked. When note 3668705 has been implemented, the system is still vulnerable because of missing input‑sanitation that can lead to a complete system takeover. SAP fixed this by adding strict input sanitization that rejects most non‑alphanumeric characters; implementation is via Correction Instructions/Support Packages and there’s no workaround. (CVSS 9.9).
Note 3683579 describes a vulnerability for SAP Commerce Cloud regarding Apache Tomcat. SAP Commerce Cloud shipped a Tomcat build prone to console manipulation and relative path traversal. SAP addresses this by upgrading Tomcat; customers must move to the newer versions mentioned, then rebuild and redeploy. There’s no workaround and the score reflects broad C/I/A impact (CVSS 9.6).
The vulnerability of note 3685286 concerns SAP jConnect (SDK for ASE). Under certain conditions, a highly privileged user can trigger unsafe deserialization that enables remote code execution. SAP disables the vulnerable (de)serialization path and restricts a connection property; customers should upgrade (CVSS 9.1)!
High-Priority Notes
We only have 5 High-priority notes this month which have all been newly released. Although these are 1 category below HotNews, they are still important.
Every once in while, a vulnerability comes along that is the result of ‘testing’ functionality that should have been deleted but made its way to production releases. Note 3684682 describes such a vulnerability on the SAP ICM, having an impact on several components, like Web Dispatcher, ABAP, Java, HANA. If the icm/HTTP/icm_test_<x> parameter is present in profiles, internal testing endpoints become reachable, exposing diagnostics and enabling crafted requests. The remediation is configuration‑only: remove all such parameters from DEFAULT and instance profiles and restart. This is a manual activity, see the note’s instructions for the affected releases. (CVSS 8.2).
Note 3640185 concerns NetWeaver BI Java (Xcelsius remote service) which has been long deprecated. It needs to be undeployed (using good-old telnet…) and patched (CVSS 7.9).
Another ICM related issue – that also affects SAP Content Server – is described in note 3677544. Logic errors in kernel memory handling allow unauthenticated network attacks that impact availability. Fixes arrive via kernel and component patches. Deploy the archives and make sure to restart services where needed. See note 3636955 for HANA XSA. The note includes detailed patching guidance and there’s no workaround. (CVSS 7.5).
Note 3650226 describes how a DoS attack is possible due to improper request/resource handling. An unauthenticated attacker can flood the service, causing long delays or outages. SAP updated impacted third‑party components and hardened resource controls; apply the listed Support Packages and Patches. (CVSS 7.5).
A missing authorization check lets a user restricted to one company code read and even post across all company codes on S/4HANA Private Cloud (FI‑GL), note 3672151. Apply the corrections or apply the workaround as found in note 3673002. Patching is the recommended path though. (CVSS 7.1).
Medium- and Low-Priority Notes
This Patch Tuesday, 8 notes fall into the Medium category of which 2 have been updated. See below for some highlights and for a full breakdown, scroll to the end of this post.
Note 3676970 is about SAPUI5/OpenUI5 (markdown‑it DoS). An outdated markdown‑it library could hang the rendering thread with malformed input, spiking CPU and freezing UI sessions. Update to the minimum fixed SAPUI5 patch levels mentioned in the note. See note 2419950 for installation instructions.
SAP Security Notes December 2025
Highlights
A slightly lower number of security notes but 4 with the highest - HotNews - priority.
Summary by Severity
The December release contains a total of 17 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 5 |
Medium | 8 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3668705 | [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager Priority: HotNews Released on: 11/11/25 Components: SV-SMG-SVD-SWB Category: Program error | Hot News | 9.9 |
| 3685270 | [CVE-2025-42880] Code Injection vulnerability in SAP Solution Manager Priority: HotNews Released on: 12/9/25 Components: SV-SMG-SVD-SWB Category: Program error | Hot News | 9.9 |
| 3683579 | Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Priority: HotNews Released on: 12/9/25 Components: CEC-SCC-PLA-PL Category: Program error | Hot News | 9.6 |
| 3685286 | [CVE-2025-42928] Deserialization Vulnerability in SAP jConnect - SDK for ASE Priority: HotNews Released on: 12/9/25 Components: BC-SYB-SDK Category: Program error | Hot News | 9.1 |
| 3684682 | [CVE-2025-42878] Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM) Priority: Correction with high priority Released on: 12/9/25 Components: BC-CST-IC Category: Program error | High | 8.2 |
| 3640185 | [CVE-2025-42874] Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) Priority: Correction with high priority Released on: 12/9/25 Components: BW-BEX-ET-XC Category: Program error | High | 7.9 |
| 3677544 | [CVE-2025-42877] Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and SAP Content Server Priority: Correction with high priority Released on: 12/9/25 Components: BC-CST-IC Category: Program error | High | 7.5 |
| 3650226 | [CVE-2025-48976] Denial of service (DOS) in SAP Business Objects Priority: Correction with high priority Released on: 12/9/25 Components: BI-BIP-CMC Category: Program error | High | 7.5 |
| 3672151 | [CVE-2025-42876] Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) Priority: Correction with high priority Released on: 12/9/25 Components: FI-GL-GL-G Category: Program error | High | 7.1 |
| 3591163 | [CVE-2025-42875] Missing Authentication check in SAP NetWeaver Internet Communication Framework Priority: Correction with medium priority Released on: 12/9/25 Components: BC-MID-ICF Category: Program error | Medium | 6.6 |
| 3662324 | [CVE-2025-42904] Information Disclosure vulnerability in Application Server ABAP Priority: Correction with medium priority Released on: 12/9/25 Components: BC-ABA-LI Category: Program error | Medium | 6.5 |
| 3662622 | [CVE-2025-42872] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 12/9/25 Components: EP-CON-SAP Category: Program error | Medium | 6.1 |
| 3676970 | [CVE-2025-42873] Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) Priority: Correction with medium priority Released on: 12/9/25 Components: CA-UI5-CTR-ROD Category: Program error | Medium | 5.9 |
| 3659117 | [CVE-2025-42891] Missing Authorization check in SAP Enterprise Search for ABAP Priority: Correction with medium priority Released on: 12/9/25 Components: BC-EIM-ESH Category: Program error | Medium | 5.5 |
| 3651390 | [CVE-2025-42896] Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 12/9/25 Components: BI-BIP-INV Category: Program error | Medium | 5.4 |
| 3610322 | [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 7/8/25 Components: BC-DB-DBI Category: Program error | Medium | 4.9 |
| 3626440 | [CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform Priority: Correction with medium priority Released on: 7/8/25 Components: SV-SMG-SDD Category: Program error | Medium | 4.3 |
