Applexus Technologies Logo
Absoft, now part of Applexus
Learn more about Applexus
Click here to learn more about Applexus
Security Notes Icon

SAP Security Notes Review: December 2025

SAP Support
SAP Technical Services
SAP Managed Service
Blog Post
SAP Application Support
SAP Notes

Share This Post

Overview

SAP’s security patch day for December 2025 has seen the release of 16 OSS SAP security notes. Three notes have been classified as critical, Five as high and eight as medium based on CVSS v3.0 Rating.

Security Notes by CVSS v3 Base Score

december cvss base core

Seven notes have been released for:

  • SAP NetWeaver 

Two notes have been released for:

• SAP BusinessObjects Business Intelligence Platform

• SAP Solution Manager

Single notes have been released for:

• SAP Cloud for Customer
• SAP S/4HANA Finance
• SAPUI5
• SAP Enterprise Portal
• SAP BW

Security Notes by Product Category

security notes by product category

Vulnerabilities: December 2025 Highlights

[CVE-2025-42875] Missing Authentication check in SAP NetWeaver Internet Communication Framework (SAP Note 3591163 )

The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker with high privileges to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application.

[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP) (SAP Note 3610322)

Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored


[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform (SAP Note 3626440)

Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Cloud Services 1
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Contact Us
Colleagues at work at Absoft SAP Consultancy