SAP Security Update – Patch for Critical Vulnerabilities Allowing Code Execution and Injection Attacks
SAP released its monthly Security Patch Day updates, addressing 18 new security notes and providing two updates to existing ones, focusing on vulnerabilities that could enable remote code execution and various injection attacks across its product ecosystem.
These patches are crucial for enterprises relying on SAP systems, as unpatched flaws could expose sensitive data and operational disruptions to threat actors.
SAP urges customers to prioritize applying these fixes via the Support Portal to safeguard their landscapes from potential exploits.
Critical Vulnerabilities Patched
Among the most severe issues is CVE-2025-42890 in SQL Anywhere Monitor (Non-GUI), version 17.0, which stems from insecure key and secret management practices.
This critical vulnerability, scored at CVSS 10.0, allows unauthenticated attackers over the network to compromise confidentiality, integrity, and availability with high impact, potentially leading to full system takeover through exposed credentials.
Similarly, an update to CVE-2025-42944 in SAP NetWeaver AS Java (SERVERCORE 7.50) reinforces protections against insecure deserialization, maintaining its CVSS 10.0 rating and enabling unauthenticated remote code execution via malicious payloads.
Security experts highlight that such deserialization flaws have been exploited in the wild, underscoring the urgency for immediate patching.
Another high-impact flaw, CVE-2025-42887 in SAP Solution Manager (ST 720), introduces a code injection vulnerability exploitable by authenticated users with low privileges, earning a CVSS score of 9.9.
Attackers could leverage this to achieve cross-scope escalation, executing arbitrary code and disrupting core business functions. This aligns with broader trends in SAP vulnerabilities where injection attacks target foundational components, amplifying risks in enterprise environments.
The patch day also tackles multiple injection-related issues at medium severity, including CVE-2025-42892 for OS command injection in SAP Business Connector (version 4.8), CVSS 6.8, which could allow high-privileged adjacent attackers to run unauthorized commands.
CVE-2025-42884 involves JNDI injection in SAP NetWeaver Enterprise Portal (EP-BASIS 7.50), potentially leading to unauthorized lookups and data leaks, rated at CVSS 6.5.
Additionally, CVE-2025-42889 addresses SQL injection in SAP Starter Solution (PL SAFT) across various versions, enabling low-privileged users to manipulate database queries.
High-severity notes include CVE-2025-42940, a memory corruption issue in SAP CommonCryptoLib (version 8) with CVSS 7.5, which could cause denial-of-service without authentication.
Medium-priority fixes cover path traversal (CVE-2025-42894), open redirects (CVE-2025-42924), reflected XSS (CVE-2025-42886), and missing authentication (CVE-2025-42885) in components like SAP HANA 2.0 and Business One. Lower-severity updates address missing authorizations and cache poisoning in S/4HANA and Fiori.
SAP November 2025 Vulnerability Details
The following table summarizes the 18 new and 2 updated security notes from SAP’s November 2025 Patch Day, including note numbers, associated CVEs, vulnerability titles, affected products, versions, priorities, and CVSS v3.0 scores.sap
| Note# | CVE | Title | Product | Version(s) | Priority | CVSS |
|---|---|---|---|---|---|---|
| 3666261 | CVE-2025-42890 | Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui) | SQL Anywhere Monitor (Non-Gui) | SYBASE_SQL_ANYWHERE_SERVER 17.0 | Critical | 10.0 |
| 3660659 (Update) | CVE-2025-42944 | Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java | SAP NetWeaver AS Java | SERVERCORE 7.50 | Critical | 10.0 |
| 3668705 | CVE-2025-42887 | Code Injection vulnerability in SAP Solution Manager | SAP Solution Manager | ST 720 | Critical | 9.9 |
| 3633049 | CVE-2025-42940 | Memory Corruption vulnerability in SAP CommonCryptoLib | SAP CommonCryptoLib | CRYPTOLIB 8 | High | 7.5 |
| 3643385 | CVE-2025-42895 | Code Injection vulnerability in SAP HANA JDBC Client | SAP HANA JDBC Client | HDB_CLIENT 2.0 | Medium | 6.9 |
| 3665900 | CVE-2025-42892 | OS Command Injection vulnerability in SAP Business Connector | SAP Business Connector | SAP BC 4.8 | Medium | 6.8 |
| 3666038 | CVE-2025-42894 | Path Traversal vulnerability in SAP Business Connector | SAP Business Connector | SAP BC 4.8 | Medium | 6.8 |
| 3660969 | CVE-2025-42884 | JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal | EP-BASIS 7.50, EP-RUNTIME 7.50 | Medium | 6.5 |
| 3642398 | CVE-2025-42924 | Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP) | SAP S/4HANA landscape (SAP E-Recruiting BSP) | S4ERECRT 100, 200, ERECRUIT 600, 603, 604, 605, 606, 616, 617, 800, 801, 802 | Medium | 6.1 |
| 3662000 | CVE-2025-42893 | Open Redirect vulnerability in SAP Business Connector | SAP Business Connector | SAP BC 4.8 | Medium | 6.1 |
| 3665907 | CVE-2025-42886 | Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector | SAP Business Connector | SAP BC 4.8 | Medium | 6.1 |
| 3639264 | CVE-2025-42885 | Missing authentication in SAP HANA 2.0 (hdbrss) | SAP HANA 2.0 (hdbrss) | HDB 2.00 | Medium | 5.8 |
| 3651097 | CVE-2025-42888 | Information Disclosure vulnerability in SAP GUI for Windows | SAP GUI for Windows | BC-FES-GUI 8.00, 8.10 | Medium | 5.5 |
| 2886616 | CVE-2025-42889 | SQL Injection vulnerability in SAP Starter Solution (PL SAFT) | SAP Starter Solution (PL SAFT) | SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730, S4CORE 100, 101, 102, 103, 104 | Medium | 5.4 |
| 3643603 | CVE-2025-42919 | Information Disclosure vulnerability in SAP NetWeaver Application Server Java | SAP NetWeaver Application Server Java | ENGINEAPI 7.50, EP-BASIS 7.50 | Medium | 5.3 |
| 3652901 | CVE-2025-42897 | Information Disclosure vulnerability in SAP Business One (SLD) | SAP Business One (SLD) | B1_ON_HANA 10.0, SAP-M-BO 10.0 | Medium | 5.3 |
| 3530544 | CVE-2025-42899 | Missing Authorization check in SAP S4CORE (Manage Journal Entries) | SAP S4CORE (Manage Journal Entries) | S4CORE 104, 105, 106, 107, 108 | Medium | 4.3 |
| 3643337 | CVE-2025-42882 | Missing Authorization check in SAP NetWeaver Application Server for ABAP | SAP NetWeaver Application Server for ABAP | SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 | Medium | 4.3 |
| 3426825 (Update) | CVE-2025-23191 | Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP | SAP Fiori for SAP ERP | SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 | Low | 3.1 |
| 3634053 | CVE-2025-42883 | Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench) | SAP NetWeaver Application Server for ABAP (Migration Workbench) | SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 | Low | 2.7 |
These vulnerabilities highlight ongoing challenges in SAP’s legacy and modern stacks, where code execution paths remain prime targets for advanced persistent threats.
Enterprises should conduct vulnerability scans, segment networks, and test patches in staging before production rollout to mitigate risks. By addressing these flaws promptly, organizations can maintain resilience against evolving cyber threats in mission-critical SAP deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post SAP Security Update – Patch for Critical Vulnerabilities Allowing Code Execution and Injection Attacks appeared first on Cyber Security News.
Guru Baran
Go to cyber-security-news