Warning: Two New Critical Vulnerabilities in SAP Products, Attackers Can Gain Full Control of the Affected Systems, Patch Immediately!

Image
Decorative image
Veröffentlicht : 12/11/2025

    * Last update:  12/11/2025
   
    * Affected software:
       → • SQL Anywhere Monitor (Non-Gui)
       → •SAP NetWeaver AS Java
       → •SAP Solution Manager
       → •SAP CommonCryptoLib
       → •SAP HANA JDBC Client
       → •SAP Business Connector
       → •SAP NetWeaver Enterprise Portal
       → •SAP S/4HANA landscape (SAP E-Recruiting BSP)
       → •SAP HANA 2.0 (hdbrss)
       → •SAP GUI for Windows
       → •SAP Starter Solution (PL SAFT)
       → •SAP NetWeaver Application Server Java
       → •SAP Business One (SLD)
       → •SAP S4CORE (Manage Journal Entries)
       → •SAP NetWeaver Application Server for ABAP
       → •SAP Fiori for SAP ERP

    * Type:
        → • From Remote Code Execution to Information Disclosure
 
    * CVE/CVSS
        → • CVE-2025-42887: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
        → • CVE-2025-42890: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

Sources

 
SAP: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html

 

Risks

SAP Security Patch Day of November 2025, covered 18 new security vulnerabilities and included 2 updates on previously released vulnerabilities.
It includes 3 critical vulnerabilities in total, allowing an attacker to perform Remote Code Execution and gain full control of the affected systems.

Description

The CCB would like to point your attention to following vulnerabilities:

CVE-2025-42887: SAP Solution Manager
Missing Input Sanitation Vulnerability. An authenticated attacker can insert malicious code when calling a remote-enabled function module. Successful exploitation gives full control of the compromised system. The attack requires no user interaction and the privileges required are low.

CVE-2025-42890: SQL Anywhere Monitor (Non-GUI)
Hardcoded Credentials Vulnerability. An attacker can perform arbitrary code execution by using hardcoded credentials found in the software. The attack can be done remotely with no privileges or interaction from the user required.

Recommended Actions

 
Patch 

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
 
Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.

References
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42887
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42890