SAP’s December 2025 security update includes three “Hot News” notes that patch critical vulnerabilities. These address a code injection flaw in SAP Solution Manager (SolMan), a deserialization vulnerability in SAP jConnect, and multiple issues in Apache Tomcat within SAP Commerce Cloud. Organizations should prioritize applying these patches to mitigate the risk of exploitation.
This advisory from Layer Seven Security provides an analysis of the most significant patches released on December 12, 2025. The update features several critical and high-priority fixes for vulnerabilities across the SAP landscape, including a code injection in Solution Manager (CVE-2025-42880), a deserialization flaw in SAP jConnect (CVE-2025-42928), and a high-risk information disclosure in SAP Web Dispatcher (CVE-2025-42878). A key strategic recommendation is for customers to begin migrating from SAP Solution Manager to SAP Cloud ALM, as SolMan’s end-of-maintenance is set for December 31, 2027.
Key Takeaways
- Patch the critical code injection vulnerability in SAP Solution Manager (Note 3685270).
- Address the “Hot News” deserialization vulnerability in SAP jConnect (Note 3685286).
- Fix the high-risk information disclosure in SAP Web Dispatcher and ICM (Note 3684682).
- Secure the missing authorization check in the S/4HANA Financial module (Note 3672151).
- Begin planning the migration from SAP Solution Manager to SAP Cloud ALM before the 2027 end-of-maintenance date.
Summary of December 2025 SAP Security Notes
The following table summarizes the key vulnerabilities addressed in this month’s security patch release.
| Note / CVE(s) | Vulnerability Type | Affected Product(s) | Priority |
| 3685270 / CVE-2025-42880 | Code Injection | SAP Solution Manager 7.2 | Hot News |
| 3685286 / CVE-2025-42928 | Deserialization | SAP jConnect – SDK for ASE | Hot News |
| 3683579 / CVE-2025-55754, CVE-2025-55752 | Multiple (Apache Tomcat) | SAP Commerce Cloud | Hot News |
| 3684682 / CVE-2025-42878 | Information Disclosure | SAP Web Dispatcher, ICM | High |
| 3677544 / CVE-2025-42877 | Memory Corruption | SAP Web Dispatcher, ICM, SAP Content Server | High |
| 3672151 / CVE-2025-42876 | Missing Authorization Check | SAP S/4HANA (Financial Module) | High |
| 3640185 / CVE-2025-42874 | Denial of Service (DoS) | SAP NetWeaver (Xcelsius) | High |
What are the critical “Hot News” patches for December 2025?
SAP released three “Hot News” notes, indicating the highest level of criticality.
Hot News note 3685270 patches a code injection vulnerability (CVE-2025-42880)) in SAP Solution Manager 7.2. The patch secures a vulnerable remote-enabled function module by introducing input validation. Given that maintenance for SolMan ends on December 31, 2027, customers are advised to migrate to SAP Cloud ALM.
Hot News note 3685286 addresses a critical deserialization vulnerability (CVE-2025-42928) in the SAP jConnect SDK for ASE. This flaw could allow an attacker to execute malicious code. The solution disables the serialization and deserialization of vulnerable input values and includes patches for SAP ASE versions 16.0 and 16.1.
Hot News note 3683579 delivers fixes for multiple vulnerabilities (CVE-2025-55754, CVE-2025-55752) related to Apache Tomcat within SAP Commerce Cloud.
What other high-priority vulnerabilities were patched?
Several high-risk vulnerabilities were also addressed in this patch cycle.
Note 3684682 fixes a high-risk information disclosure vulnerability (CVE-2025-42878) in the SAP Web Dispatcher and Internet Communication Manager (ICM). The flaw could expose internal testing interfaces not meant for production. To mitigate this, the icm/HTTP/icmtest_ parameter should be removed from all system profiles.
Note 3677544 patches a memory corruption vulnerability (CVE-2025-42877) affecting SAP Web Dispatcher, ICM, and SAP Content Server.
Note 3640185 resolves a Denial of Service (DoS) vulnerability (CVE-2025-42874) in the remote service for Xcelsius in SAP NetWeaver. Due to insufficient input validation, an attacker with network access and high privileges could execute arbitrary code.
Note 3672151 addresses a missing authorization check (CVE-2025-42876) in the General Ledger of SAP S/4HANA’s Financial module. This could allow an attacker with access to one company code to read, post, or modify documents across all company codes.
What is the future of SAP Solution Manager (SolMan)?
The end of maintenance for SAP Solution Manager is scheduled for December 31, 2027. SAP recommends that customers migrate application monitoring and lifecycle management functions to SAP Cloud ALM and decommission their SolMan installations. It is also noted that SolMan is no longer required for the Cybersecurity Extension for SAP.
Frequently Asked Questions (FAQ)
Q: What is the most critical SAP vulnerability for December 2025?
A: The “Hot News” notes are the most critical. These include a code injection in SAP Solution Manager (CVE-2025-42880), a deserialization flaw in SAP jConnect (CVE-2025-42928), and Tomcat issues in SAP Commerce Cloud (CVE-2025-55754, CVE-2025-55752).
Q: Is SAP Solution Manager being discontinued?
A: Yes, mainstream maintenance for SAP Solution Manager ends on December 31, 2027. SAP advises customers to transition to SAP Cloud ALM for application lifecycle management before this date.
Q: How do I fix the information disclosure vulnerability in SAP Web Dispatcher?
A: To mitigate the vulnerability (CVE-2025-42878), you must remove the icm/HTTP/icmtest_ parameter from all system profiles, including DEFAULT and instance profiles, and then restart the components.