SAP Delivers Three Critical Fixes in December Patch Day

This month, SAP’s Security Patch Day delivered fixes for several high-impact vulnerabilities affecting administrative platforms, embedded services, and integration interfaces.

SAP released 14 new security notes as part of its monthly SAP Security Patch Day. SAP rated three of the security patches as critical priority, while five are high priority and the remainder are medium priority.

The release offers a reminder to SAP security teams that core applications, embedded open-source components, and integration frameworks all require consistent attention.

With three critical vulnerabilities disclosed, SAP advises customers to review the Security Notes in its Support Portal and implement relevant patches based on their priority level.

Patch Day Priorities

SAP assigned a critical priority to the following security notes based on the Common Vulnerability Scoring System (CVSS):

1. Note# 3685270, Code Injection vulnerability in SAP Solution Manager, received a 9.9 out of 10.0 CVSS rating.
2. Note# 3683579, Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Related CVE, received a 9.6 CVSS rating.
3. Note# 3685286, Deserialization Vulnerability in SAP jConnect – SDK for ASE, received a 9.1 CVSS rating.

According to CVE, the code-injection flaw in SAP Solution Manager could allow an authenticated attacker to “insert malicious code when calling a remote-enabled function module.” A successful exploit would grant the attacker “full control of the system.”

“Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch,” wrote Thomas Fritsch, SAP security researcher at Onapsis.

CVE reported that the vulnerabilities for Apache Tomcat in SAP Commerce Cloud made it possible for an attacker to manipulate the console or clipboard on Windows systems. A successful attack could trick an administrator into executing a command.

Gert-Jan Koster, SAP Security specialist at SecurityBridge, commented, “There’s no workaround and the score reflects broad [confidentiality, integrity, and availability] impact.”

The deserialization vulnerability for SAP jConnect, meanwhile, could allow a high-privileged attacker to trigger remote code execution. CVE stated that the system became vulnerable when specially crafted input was used to exploit the flaw.

Fritsch said Onapsis exploited the vulnerability, noting that the only reason the it did not receive a 10.0 CVSS rating was because an exploit requires high level of privileges.

What This Means for SAPinsiders

• Update the central systems that keep SAP environments running. Systems such as SAP Solution Manager sit at the center of administrative workflows, and weaknesses in these platforms can influence monitoring, change management, transport controls, and lifecycle operations. Patching these systems first helps protect the operational foundation that other components depend on. Effective risk reduction ultimately requires consistent patch hygiene.
• Increase visibility into embedded and third-party components. Services like Apache Tomcat and other bundled technologies can introduce risk even when SAP applications are fully patched. Security teams should maintain an inventory of these components and monitor them for inconsistent settings, platform-specific issues, and outdated packages. Unseen dependencies remain one of the most persistent attack vectors.
• Tighten controls around high-privilege access. Interfaces that operate with elevated authorizations—such as SAP jConnect, other integration connectors, and administrative APIs—require consistent oversight to ensure they handle input as expected. Keeping these access points aligned with current safeguards helps maintain predictable behavior and reduce unintended effects across different systems and connection paths.