SAP November 2025 Patch Day Fixes 3 Critical Flaws (CVSS 10) — Including Code Injection and Insecure Key Management

Today, SAP released its latest batch of Security Patch Day updates, delivering 18 new security notes and two updates to previously released ones. Among them, three critical vulnerabilities stand out — including two with the maximum CVSS score of 10.0 — that affect SQL Anywhere Monitor (Non-GUI), SAP NetWeaver AS Java, and SAP Solution Manager.

The first and arguably most severe issue, CVE-2025-42890, affects SQL Anywhere Monitor (Non-GUI), a Sybase-based database monitoring component.

“SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution,” SAP stated in the advisory.

This vulnerability, which earned a critical CVSS score of 10.0, could allow unauthenticated attackers to exploit hard-coded credentials to execute arbitrary code or gain unauthorized access to sensitive database environments.

“This could cause high impact on confidentiality, integrity, and availability of the system,” SAP warned.

Another critical vulnerability, CVE-2025-42944 (CVSS 10), represents a remote code execution (RCE) risk via insecure deserialization in SAP NetWeaver AS Java’s RMI-P4 module. This is an update to a previously released note from October 2025, reflecting ongoing hardening efforts across SAP’s Java-based systems.

“Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port,” SAP explained.

Successful exploitation can allow attackers to execute arbitrary OS commands remotely, leading to complete system compromise.

“The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability,” the note continued.

Given the pervasiveness of SAP NetWeaver AS Java across enterprise environments, this vulnerability poses an urgent risk for organizations with unpatched or internet-exposed RMI endpoints.

The third critical issue, CVE-2025-42887 (CVSS 9.9), affects SAP Solution Manager (version ST 720) and enables authenticated attackers to inject and execute arbitrary code via improperly sanitized remote-enabled function calls.

“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” SAP detailed.

This flaw could allow attackers to gain full control of the system, affecting its confidentiality, integrity, and availability.

“This could provide the attacker with full control of the system hence leading to high impact,” SAP warned.

In addition to the three critical vulnerabilities, SAP addressed several high- and medium-severity flaws across its ecosystem. Some of the most significant include:

CVE-2025-42940 – Memory Corruption vulnerability in SAP CommonCryptoLib (CVSS 7.5)
CVE-2025-42895 – Code Injection in SAP HANA JDBC Client (CVSS 6.9)
CVE-2025-42892 / CVE-2025-42894 – OS Command Injection and Path Traversal in SAP Business Connector (CVSS 6.8)
CVE-2025-42884 – JNDI Injection in SAP NetWeaver Enterprise Portal (CVSS 6.5)
CVE-2025-42924 / CVE-2025-42893 – Open Redirect vulnerabilities in SAP S/4HANA and SAP Business Connector (CVSS 6.1)
CVE-2025-42885 – Missing Authentication in SAP HANA 2.0 (hdbrss) (CVSS 5.8)
CVE-2025-42888 – Information Disclosure in SAP GUI for Windows (CVSS 5.5)
CVE-2025-42899 / CVE-2025-42882 – Missing Authorization Checks in SAP S4CORE and SAP NetWeaver ABAP (CVSS 4.3)
CVE-2025-42883 – Insecure File Operations in SAP NetWeaver ABAP Migration Workbench (CVSS 2.7)

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply