SAP Security Update – Patch for Critical Vulnerabilities Allowing Code Execution and Injection Attacks

SAP released its monthly Security Patch Day updates, addressing 18 new security notes and providing two updates to existing ones, focusing on vulnerabilities that could enable remote code execution and various injection attacks across its product ecosystem.

These patches are crucial for enterprises relying on SAP systems, as unpatched flaws could expose sensitive data and operational disruptions to threat actors.

SAP urges customers to prioritize applying these fixes via the Support Portal to safeguard their landscapes from potential exploits.

Critical Vulnerabilities Patched

Among the most severe issues is CVE-2025-42890 in SQL Anywhere Monitor (Non-GUI), version 17.0, which stems from insecure key and secret management practices.

This critical vulnerability, scored at CVSS 10.0, allows unauthenticated attackers over the network to compromise confidentiality, integrity, and availability with high impact, potentially leading to full system takeover through exposed credentials.

Similarly, an update to CVE-2025-42944 in SAP NetWeaver AS Java (SERVERCORE 7.50) reinforces protections against insecure deserialization, maintaining its CVSS 10.0 rating and enabling unauthenticated remote code execution via malicious payloads.

Security experts highlight that such deserialization flaws have been exploited in the wild, underscoring the urgency for immediate patching.

Another high-impact flaw, CVE-2025-42887 in SAP Solution Manager (ST 720), introduces a code injection vulnerability exploitable by authenticated users with low privileges, earning a CVSS score of 9.9.

Attackers could leverage this to achieve cross-scope escalation, executing arbitrary code and disrupting core business functions. This aligns with broader trends in SAP vulnerabilities where injection attacks target foundational components, amplifying risks in enterprise environments.

The patch day also tackles multiple injection-related issues at medium severity, including CVE-2025-42892 for OS command injection in SAP Business Connector (version 4.8), CVSS 6.8, which could allow high-privileged adjacent attackers to run unauthorized commands.

CVE-2025-42884 involves JNDI injection in SAP NetWeaver Enterprise Portal (EP-BASIS 7.50), potentially leading to unauthorized lookups and data leaks, rated at CVSS 6.5.

Additionally, CVE-2025-42889 addresses SQL injection in SAP Starter Solution (PL SAFT) across various versions, enabling low-privileged users to manipulate database queries.

High-severity notes include CVE-2025-42940, a memory corruption issue in SAP CommonCryptoLib (version 8) with CVSS 7.5, which could cause denial-of-service without authentication.

Medium-priority fixes cover path traversal (CVE-2025-42894), open redirects (CVE-2025-42924), reflected XSS (CVE-2025-42886), and missing authentication (CVE-2025-42885) in components like SAP HANA 2.0 and Business One. Lower-severity updates address missing authorizations and cache poisoning in S/4HANA and Fiori.

SAP November 2025 Vulnerability Details

The following table summarizes the 18 new and 2 updated security notes from SAP’s November 2025 Patch Day, including note numbers, associated CVEs, vulnerability titles, affected products, versions, priorities, and CVSS v3.0 scores.sap

Note#	CVE	Title	Product	Version(s)	Priority	CVSS
3666261	CVE-2025-42890	Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui)	SQL Anywhere Monitor (Non-Gui)	SYBASE_SQL_ANYWHERE_SERVER 17.0	Critical	10.0
3660659 (Update)	CVE-2025-42944	Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java	SAP NetWeaver AS Java	SERVERCORE 7.50	Critical	10.0
3668705	CVE-2025-42887	Code Injection vulnerability in SAP Solution Manager	SAP Solution Manager	ST 720	Critical	9.9
3633049	CVE-2025-42940	Memory Corruption vulnerability in SAP CommonCryptoLib	SAP CommonCryptoLib	CRYPTOLIB 8	High	7.5
3643385	CVE-2025-42895	Code Injection vulnerability in SAP HANA JDBC Client	SAP HANA JDBC Client	HDB_CLIENT 2.0	Medium	6.9
3665900	CVE-2025-42892	OS Command Injection vulnerability in SAP Business Connector	SAP Business Connector	SAP BC 4.8	Medium	6.8
3666038	CVE-2025-42894	Path Traversal vulnerability in SAP Business Connector	SAP Business Connector	SAP BC 4.8	Medium	6.8
3660969	CVE-2025-42884	JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal	SAP NetWeaver Enterprise Portal	EP-BASIS 7.50, EP-RUNTIME 7.50	Medium	6.5
3642398	CVE-2025-42924	Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP)	SAP S/4HANA landscape (SAP E-Recruiting BSP)	S4ERECRT 100, 200, ERECRUIT 600, 603, 604, 605, 606, 616, 617, 800, 801, 802	Medium	6.1
3662000	CVE-2025-42893	Open Redirect vulnerability in SAP Business Connector	SAP Business Connector	SAP BC 4.8	Medium	6.1
3665907	CVE-2025-42886	Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector	SAP Business Connector	SAP BC 4.8	Medium	6.1
3639264	CVE-2025-42885	Missing authentication in SAP HANA 2.0 (hdbrss)	SAP HANA 2.0 (hdbrss)	HDB 2.00	Medium	5.8
3651097	CVE-2025-42888	Information Disclosure vulnerability in SAP GUI for Windows	SAP GUI for Windows	BC-FES-GUI 8.00, 8.10	Medium	5.5
2886616	CVE-2025-42889	SQL Injection vulnerability in SAP Starter Solution (PL SAFT)	SAP Starter Solution (PL SAFT)	SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730, S4CORE 100, 101, 102, 103, 104	Medium	5.4
3643603	CVE-2025-42919	Information Disclosure vulnerability in SAP NetWeaver Application Server Java	SAP NetWeaver Application Server Java	ENGINEAPI 7.50, EP-BASIS 7.50	Medium	5.3
3652901	CVE-2025-42897	Information Disclosure vulnerability in SAP Business One (SLD)	SAP Business One (SLD)	B1_ON_HANA 10.0, SAP-M-BO 10.0	Medium	5.3
3530544	CVE-2025-42899	Missing Authorization check in SAP S4CORE (Manage Journal Entries)	SAP S4CORE (Manage Journal Entries)	S4CORE 104, 105, 106, 107, 108	Medium	4.3
3643337	CVE-2025-42882	Missing Authorization check in SAP NetWeaver Application Server for ABAP	SAP NetWeaver Application Server for ABAP	SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816	Medium	4.3
3426825 (Update)	CVE-2025-23191	Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP	SAP Fiori for SAP ERP	SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758	Low	3.1
3634053	CVE-2025-42883	Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)	SAP NetWeaver Application Server for ABAP (Migration Workbench)	SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816	Low	2.7

These vulnerabilities highlight ongoing challenges in SAP’s legacy and modern stacks, where code execution paths remain prime targets for advanced persistent threats.

Enterprises should conduct vulnerability scans, segment networks, and test patches in staging before production rollout to mitigate risks. By addressing these flaws promptly, organizations can maintain resilience against evolving cyber threats in mission-critical SAP deployments.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SAP Security Update – Patch for Critical Vulnerabilities Allowing Code Execution and Injection Attacks appeared first on Cyber Security News.