SAP released its monthly Security Patch Day updates, addressing 18 new security notes and providing two updates to existing ones, focusing on vulnerabilities that could enable remote code execution and various injection attacks across its product ecosystem.
These patches are crucial for enterprises relying on SAP systems, as unpatched flaws could expose sensitive data and operational disruptions to threat actors.
SAP urges customers to prioritize applying these fixes via the Support Portal to safeguard their landscapes from potential exploits.
Critical Vulnerabilities Patched
Among the most severe issues is CVE-2025-42890 in SQL Anywhere Monitor (Non-GUI), version 17.0, which stems from insecure key and secret management practices.
This critical vulnerability, scored at CVSS 10.0, allows unauthenticated attackers over the network to compromise confidentiality, integrity, and availability with high impact, potentially leading to full system takeover through exposed credentials.
Similarly, an update to CVE-2025-42944 in SAP NetWeaver AS Java (SERVERCORE 7.50) reinforces protections against insecure deserialization, maintaining its CVSS 10.0 rating and enabling unauthenticated remote code execution via malicious payloads.
Security experts highlight that such deserialization flaws have been exploited in the wild, underscoring the urgency for immediate patching.
Another high-impact flaw, CVE-2025-42887 in SAP Solution Manager (ST 720), introduces a code injection vulnerability exploitable by authenticated users with low privileges, earning a CVSS score of 9.9.
Attackers could leverage this to achieve cross-scope escalation, executing arbitrary code and disrupting core business functions. This aligns with broader trends in SAP vulnerabilities where injection attacks target foundational components, amplifying risks in enterprise environments.
The patch day also tackles multiple injection-related issues at medium severity, including CVE-2025-42892 for OS command injection in SAP Business Connector (version 4.8), CVSS 6.8, which could allow high-privileged adjacent attackers to run unauthorized commands.
CVE-2025-42884 involves JNDI injection in SAP NetWeaver Enterprise Portal (EP-BASIS 7.50), potentially leading to unauthorized lookups and data leaks, rated at CVSS 6.5.
Additionally, CVE-2025-42889 addresses SQL injection in SAP Starter Solution (PL SAFT) across various versions, enabling low-privileged users to manipulate database queries.
High-severity notes include CVE-2025-42940, a memory corruption issue in SAP CommonCryptoLib (version 8) with CVSS 7.5, which could cause denial-of-service without authentication.
Medium-priority fixes cover path traversal (CVE-2025-42894), open redirects (CVE-2025-42924), reflected XSS (CVE-2025-42886), and missing authentication (CVE-2025-42885) in components like SAP HANA 2.0 and Business One. Lower-severity updates address missing authorizations and cache poisoning in S/4HANA and Fiori.
These vulnerabilities highlight ongoing challenges in SAP’s legacy and modern stacks, where code execution paths remain prime targets for advanced persistent threats.
Enterprises should conduct vulnerability scans, segment networks, and test patches in staging before production rollout to mitigate risks. By addressing these flaws promptly, organizations can maintain resilience against evolving cyber threats in mission-critical SAP deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
