CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SAP December 2025 Security Updates Address Three Critical Vulnerabilities

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

SAP’s December 2025 security bulletin addressed 14 vulnerabilities, including three critical flaws, while the May 2026 updates introduced 15 new vulnerabilities with two critical issues in Commerce Cloud and S/4HANA. One critical flaw, CVE-2026-34263, is a missing authentication check in SAP Commerce Cloud allowing unauthenticated attackers to execute arbitrary code. The second critical flaw, CVE-2026-34260, enables low-complexity SQL injection in SAP S/4HANA, risking unauthorized data access and application disruption. SAP’s May 2026 advisory also resolved one high-severity and 11 medium-severity issues, including command injection, missing authorization checks, and XSS. While SAP has not observed active exploitation of these new flaws, historical precedent shows SAP vulnerabilities are frequently targeted, with 14 SAP flaws added to CISA’s Known Exploited Vulnerabilities catalog in recent years, including two used in ransomware attacks. SAP remains a critical enterprise software vendor, serving 99 of the 100 largest global companies and reporting over €36 billion in fiscal year 2025 revenue.

Timeline

  1. 12.05.2026 14:04 1 articles · 23h ago

    SAP May 2026 Security Updates Address Two New Critical Flaws in Commerce Cloud and S/4HANA

    SAP released May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws. CVE-2026-34263 is a missing authentication check in SAP Commerce Cloud caused by improper Spring Security configuration, allowing unauthenticated attackers to execute arbitrary code through malicious configuration upload, resulting in high-impact compromise of confidentiality, integrity, and availability. CVE-2026-34260 enables low-complexity SQL injection in SAP S/4HANA due to direct concatenation of user input into SQL queries without validation, risking unauthorized database access and application crashes. The advisory also includes fixes for one high-severity and 11 medium-severity issues such as command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service. While SAP has not observed active exploitation, historical context includes 14 SAP flaws added to CISA’s Known Exploited Vulnerabilities catalog in recent years, including two used in ransomware attacks.

    Show sources
    Open in new tab
  2. 10.12.2025 00:41 2 articles · 5mo ago

    SAP December 2025 Security Updates Address Three Critical Vulnerabilities

    SAP released December 2025 security updates fixing 14 vulnerabilities, including three critical flaws. The most severe issue, CVE-2025-42880, is a code injection flaw in SAP Solution Manager ST 720. Another critical flaw, CVE-2025-55754, affects SAP Commerce Cloud components due to multiple Apache Tomcat vulnerabilities. The third critical flaw, CVE-2025-42928, is a deserialization vulnerability in SAP jConnect. The updates also address five high-severity and six medium-severity flaws. While none of the vulnerabilities are marked as actively exploited, administrators are urged to apply the fixes promptly. This timeline is now expanded to include reference to the subsequent May 2026 SAP security updates addressing 15 new vulnerabilities, including two critical flaws in Commerce Cloud and S/4HANA, which represent a separate and later development phase.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2025-42880 is a code injection flaw in SAP Solution Manager ST 720 with a CVSS score of 9.9, allowing authenticated attackers to execute malicious code and gain full system control.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • CVE-2025-55754 affects SAP Commerce Cloud components in versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21, with a CVSS score of 9.6, due to multiple Apache Tomcat vulnerabilities.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • CVE-2025-42928 is a deserialization vulnerability in SAP jConnect with a CVSS score of 9.1, potentially allowing remote code execution under certain conditions.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • SAP's December 2025 bulletin also includes fixes for five high-severity and six medium-severity flaws, including memory corruption, missing authentication checks, cross-site scripting, and information disclosure.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • SAP solutions manage sensitive and high-value workloads, making them valuable targets for attackers.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • None of the 14 flaws are marked as actively exploited in the wild, but administrators are advised to apply the fixes without delay.

    First reported: 10.12.2025 00:41
    1 source, 1 article
    Show sources

  • SAP May 2026 security updates address 15 vulnerabilities across multiple products, including two critical flaws in Commerce Cloud and S/4HANA

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • CVE-2026-34263 is a missing authentication check in SAP Commerce Cloud allowing unauthenticated attackers to execute code on vulnerable servers

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • CVE-2026-34263 is caused by improper Spring Security configuration leading to malicious configuration upload and arbitrary server-side code execution

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • CVE-2026-34260 enables attackers with basic privileges to perform low-complexity SQL injection attacks in SAP S/4HANA

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • CVE-2026-34260 involves concatenation of malicious user input into SQL queries without proper validation, risking unauthorized access and application crashes

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • SAP May 2026 advisory also fixes one high-severity and 11 medium-severity flaws including command injection, missing authorization checks, XSS, CSRF, and denial-of-service

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • CISA added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years, including two abused in ransomware attacks

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • SAP reported total revenues exceeding €36 billion in fiscal year 2025 and serves 99 of the 100 largest companies worldwide

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • SAP Commerce Cloud is an enterprise-grade e-commerce platform used by large retailers and global brands

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

  • S/4HANA is a cloud-based ERP suite replacing the company's on-premises ECC ERP system

    First reported: 12.05.2026 14:04
    1 source, 1 article
    Show sources

Similar Happenings

Critical ASUS Live Update Flaw Added to CISA KEV Catalog

CISA has added a critical flaw in ASUS Live Update (CVE-2025-59374, CVSS 9.3) to its KEV catalog due to active exploitation. The vulnerability stems from a supply chain compromise that allowed unauthorized modifications in certain versions, enabling attackers to perform unintended actions. The flaw is linked to the 2019 Operation ShadowHammer campaign by the APT41 group, which targeted around 600 specific devices. The attack was uncovered in January 2019, and Asus released a patch by March the same year. ASUS Live Update reached end-of-support on December 4, 2025, and CISA urges FCEB agencies to discontinue its use by January 7, 2026. The CVE assignment reflects a retrospective classification effort, formally documenting a well-known attack that predated CVE issuance. The updated ASUS FAQ page from December 2025 contradicts the CVE entry, implying that support definitively ended on December 4, 2025, with version 3.6.15 being the last version. The FAQ page continues to display older remediation guidance with screenshots bearing 2019 dates, recommending upgrading to version 3.6.8 or higher to resolve security concerns.

Open in new tab

Critical vulnerabilities in SAP NetWeaver and related products addressed

SAP has released security updates addressing multiple vulnerabilities, including three critical flaws in NetWeaver and a high-severity issue in S/4HANA. The most severe, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via an insecure deserialization vulnerability in the RMI-P4 module. The second critical flaw, CVE-2025-42922, enables authenticated attackers to upload arbitrary files, potentially leading to full system compromise. The third critical vulnerability, CVE-2025-42958, allows unauthorized high-privileged users to access sensitive data and administrative functions. Additionally, a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) was patched, which could permit attackers to delete the content of arbitrary database tables. In the November 2025 security updates, SAP addressed a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor (CVE-2025-42890) and a critical code injection issue in the Solution Manager platform (CVE-2025-42887). The SQL Anywhere Monitor flaw involves hardcoded credentials that could allow attackers to access administrative functions and execute arbitrary code. The Solution Manager flaw allows authenticated attackers to insert malicious code, potentially leading to full system control. SAP also released fixes for one high-severity flaw (CVE-2025-42940) and 14 other medium-severity vulnerabilities. These vulnerabilities affect SAP NetWeaver, the foundation for various business applications like ERP, CRM, SRM, and SCM, widely deployed in large enterprise networks. The RMI-P4 port, used for internal SAP-to-SAP communication, may be exposed to wider networks due to misconfigurations. SAP products are frequent targets for high-value compromises due to their handling of mission-critical data. Earlier this month, a critical code injection vulnerability (CVE-2025-42957) was exploited in S/4HANA, Business One, and NetWeaver products. SAP has also updated security notes for other high-severity vulnerabilities in Business One, Landscape Transformation Replication Server, and S/4HANA.

Open in new tab

SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.

Open in new tab