SAP has released a significant security update addressing 18 new vulnerabilities across its enterprise software portfolio, including several critical flaws related to code execution and data injection.
This monthly security patch day features four high-severity vulnerabilities that require immediate attention from organizations utilizing SAP infrastructure.
The most severe vulnerabilities have a CVSS score of 10.0, indicating the highest severity.
CVE-2025-42890 affects SQL Anywhere Monitor (Non-GUI) and involves insecure key and secret management, potentially allowing attackers to compromise cryptographic credentials.
Similarly critical is CVE-2025-42944, which is an insecure deserialization vulnerability in SAP NetWeaver AS Java. This flaw could enable remote code execution without requiring authentication or user interaction.
CVE-2025-42887, a code injection flaw in SAP Solution Manager, has a CVSS score of 9.9. While this vulnerability requires low-level privileges, it could allow attackers to execute arbitrary code within the Solution Manager environment.
The fourth critical issue, CVE-2025-42940, is a memory corruption vulnerability in SAP CommonCryptoLib, rated as high severity (7.5 on the CVSS scale). This could lead to denial-of-service attacks or information disclosure.
| CVE ID | Vulnerability Type | Product | CVSS | Priority |
|---|---|---|---|---|
| CVE-2025-42890 | Insecure Key & Secret Management | SQL Anywhere Monitor (Non-GUI) | 10.0 | Critical |
| CVE-2025-42944 | Insecure Deserialization | SAP NetWeaver AS Java | 10.0 | Critical |
| CVE-2025-42887 | Code Injection | SAP Solution Manager | 9.9 | Critical |
| CVE-2025-42940 | Memory Corruption | SAP CommonCryptoLib | 7.5 | High |
| CVE-2025-42895 | Code Injection | SAP HANA JDBC Client | 6.9 | Medium |
| CVE-2025-42892 | OS Command Injection | SAP Business Connector | 6.8 | Medium |
| CVE-2025-42894 | Path Traversal | SAP Business Connector | 6.8 | Medium |
| CVE-2025-42884 | JNDI Injection | SAP NetWeaver Enterprise Portal | 6.5 | Medium |
| CVE-2025-42924 | Open Redirect | SAP S/4HANA E-Recruiting BSP | 6.1 | Medium |
| CVE-2025-42893 | Open Redirect | SAP Business Connector | 6.1 | Medium |
| CVE-2025-42886 | Reflected XSS | SAP Business Connector | 6.1 | Medium |
| CVE-2025-42885 | Missing Authentication | SAP HANA 2.0 (hdbrss) | 5.8 | Medium |
| CVE-2025-42888 | Information Disclosure | SAP GUI for Windows | 5.5 | Medium |
| CVE-2025-42889 | SQL Injection | SAP Starter Solution (PL SAFT) | 5.4 | Medium |
| CVE-2025-42919 | Information Disclosure | SAP NetWeaver Application Server Java | 5.3 | Medium |
| CVE-2025-42897 | Information Disclosure | SAP Business One (SLD) | 5.3 | Medium |
| CVE-2025-42899 | Missing Authorization | SAP S4CORE (Manage Journal Entries) | 4.3 | Medium |
| CVE-2025-42882 | Missing Authorization | SAP NetWeaver Application Server ABAP | 4.3 | Medium |
| CVE-2025-23191 | Cache Poisoning via Header Manipulation | SAP Fiori for SAP ERP | 3.1 | Low |
| CVE-2025-42883 | Insecure File Operations | SAP NetWeaver ABAP (Migration Workbench) | 2.7 | Low |
In addition to these critical vulnerabilities, SAP addressed 14 medium and low-severity issues. Notably, CVE-2025-42892 describes an OS command injection vulnerability in SAP Business Connector.
At the same time, CVE-2025-42889 addresses SQL injection in SAP Starter Solution, affecting multiple versions.
The company also resolved issues related to JNDI injection flaws, open redirects, cross-site scripting, and missing authentication controls across various products.
Organizations operating affected SAP systems should prioritize patching based on their deployment architecture.
The critical deserialization and key management vulnerabilities pose the highest risk due to their network-accessible nature and minimal exploitation requirements.
Urgent attention is needed for SQL Anywhere Monitor and NetWeaver AS Java environments.
SAP recommends that administrators review security notes on the SAP Support Portal and systematically apply patches across their systems.
The company emphasizes that secure configuration is essential for maintaining data integrity and operational security. Additionally, two previously released security notes have been updated, indicating ongoing refinement of earlier patches.
This November patch day highlights the importance of keeping SAP deployments up to date and implementing compensating controls when immediate patching is not feasible.
Organizations should collaborate with their SAP support teams to develop deployment strategies that balance security urgency with operational stability.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.