好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。首先,我得仔细阅读文章内容,抓住关键点。 文章主要讲的是SAP在12月发布了安全更新,修复了14个漏洞,其中三个是关键级别的。最严重的漏洞CVE-2025-42880影响了SAP Solution Manager ST 720,CVSS评分高达9.9,属于代码注入问题,可能导致系统被完全控制。第二个是CVE-2025-55754,影响SAP Commerce Cloud组件,评分9.6。第三个是CVE-2025-42928,影响SAP jConnect的反序列化漏洞,评分9.1。此外还有五个高危和六个中危漏洞。 用户要求总结在100字以内,并且不要以“文章内容总结”开头。所以我要简洁明了地概括这些信息。 首先提到SAP修复了14个漏洞,三个关键级别。然后分别说明每个漏洞的影响和严重性。最后提到其他漏洞和建议尽快修复。 这样组织起来应该能在100字左右完成。 </think> SAP修复了14个漏洞,包括三个关键级别(CVSS评分分别为9.9、9.6和9.1)的缺陷。最严重的漏洞CVE-2025-42880影响SAP Solution Manager ST 720,可能导致系统被完全控制;CVE-2025-55754影响SAP Commerce Cloud组件;CVE-2025-42928影响SAP jConnect的反序列化问题。此外还修复了五个高危和六个中危漏洞。建议管理员尽快部署补丁以应对潜在风险。 2025-12-9 22:45:22 Author: www.bleepingcomputer.com(查看原文) 阅读量:1 收藏
SAP has released its December security updates addressing 14 vulnerabilities across a range of products, including three critical-severity flaws.
The most severe (CVSS score: 9.9) of all the issues is CVE-2025-42880, a code injection problem impacting SAP Solution Manager ST 720.
"Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module," reads the flaw's description.
"This could provide the attacker with full control of the system, hence leading to high impact on confidentiality, integrity, and availability of the system."
SAP Solution Manager is the vendor's central lifecycle management and monitoring platform used by enterprises for system monitoring, technical configuration, incident and service desk, documentation hub, and test management.
The next most severe flaw SAP fixed this month concerns multiple Apache Tomcat vulnerabilities impacting SAP Commerce Cloud components in versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21.
The flaws are tracked in SAP Commerce Cloud under a single identifier, CVE-2025-55754, given a CVSS severity rating of 9.6.
SAP Commerce Cloud is an enterprise-grade e-commerce platform backing large-scale online stores with product catalogs, pricing, promotions, checkout, order management, customer accounts, and ERP/CRM integration. It is generally used by large retailers and global brands.
The third critical (CVSS score: 9.1) flaw fixed this month is CVE-2025-42928, a deserialization vulnerability impacting SAP jConnect, which, under certain conditions, could allow a high-privileged user to achieve remote code execution on the target via specially crafted input.
SAP jConnect is a JDBC driver used by developers and database administrators to connect Java applications to SAP ASE and SAP SQL Anywhere databases.
SAP's December 2025 bulletin also lists fixes for five high-severity flaws and six medium-severity issues, including memory corruption, missing authentication and authorization checks, cross-site scripting, and information disclosure.
SAP solutions are deeply embedded in enterprise environments and manage sensitive, high-value workloads, making them a valuable target for attackers.
Earlier this year, SecurityBridge researchers observed in-the-wild attacks abusing a code-injection flaw (CVE-2025-42957) impacting SAP S/4HANA, Business One, and NetWeaver deployments.
SAP has not marked any of the 14 flaws as actively exploited in the wild, but administrators should deploy the fixes without delay.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
如有侵权请联系:admin#unsafe.sh