SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.
The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0.
“SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution,” reads the description for the flaw.
Depending on how they are used, an attacker who obtains the credentials can use them to acceess administrative functions.
SQL Anywhere Monitor is a database monitoring and alert tool, part of the SQL Anywhere suite, typically used by organizations managing distributed or remote databases.
The non-GUI monitor component is typically deployed on unattended appliances where it runs without frequent human oversight.
The second critical vulnerability, identified as CVE-2025-42887, has a severity score of 9.9 and affects the SAP Solution Manager, a platform for application lifecycle management.
“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” reads the entry in the National Vulnerability Database.
“This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.”
SAP Solution Manager is a centralized management and monitoring platform for SAP environments, typically used by large enterprises that operate complex networks encompassing ERP, CRM, and analytics solutions.
In the context of the November 2025 security updates pack, SAP also released fixes for one high-severity flaw (CVE-2025-42940) and 14 other medium-severity vulnerabilities.
Also, the German software giant released updates for CVE-2025-42944, a critical flaw in NetWeaver that was initially addressed last month.
SAP products, widely deployed across large enterprises and entrusted with mission-critical data, are frequent targets for threat actors seeking high-value access.
Earlier this year, SecurityBridge researchers reported active exploitation of a critical code-injection vulnerability, tracked as CVE-2025-42957, affecting SAP S/4HANA, Business One, and NetWeaver systems.
No active exploitation has been detected for the two critical flaws that SAP fixed today, but system administrators are advised to apply the available updates as soon as possible and follow the vendor’s mitigation recommendations for CVE-2025-42890 and CVE-2025-42887 (accessible only to account holders).
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.