Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP security patches November 2025

SAP has released its November 2025 security patch package containing 20 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes three HotNews vulnerabilities with CVSS ratings of 10.0 and 9.9, one High priority issue, fourteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, SAP Solution Manager, SAP Business Connector, SAP HANA, CommonCryptoLib, and various application components.

Total Security Notes
20
HotNews Critical
3
High Priority
1
Medium Priority
14
Low Priority
2

Executive Summary

  • Maximum Severity Insecure Deserialization: CVE-2025-42944 (CVSS 10.0) in NetWeaver AS Java RMI-P4 and CVE-2025-42890 (CVSS 10.0) in SQL Anywhere Monitor allow unauthenticated remote code execution with complete system compromise across connected environments.
  • Critical Code Injection: CVE-2025-42887 (CVSS 9.9) in SAP Solution Manager enables authenticated attackers to execute arbitrary code with full system takeover and cross-scope impact.
  • Cryptographic Vulnerability: CVE-2025-42940 (CVSS 7.5) memory corruption in SAP CommonCryptoLib causes denial of service affecting cryptographic operations across SAP landscape.
  • Multiple Injection Vectors: JNDI injection in NetWeaver Portal, OS command injection in Business Connector, SQL injection in Starter Solution, and code injection in HANA JDBC Client requiring immediate attention.

Critical HotNews Vulnerabilities

Insecure Deserialization in NetWeaver AS Java

10.0 CVE-2025-42944 BC-JAS-COR Deserialization
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Security hardening for insecure deserialization vulnerability in SAP NetWeaver AS Java allows unauthenticated remote attackers to execute arbitrary code without authentication. This maximum severity flaw enables complete system compromise with full confidentiality, integrity, and availability impact across connected environments.

SAP Note 3660659 — emergency patch required immediately.

Insecure Key & Secret Management in SQL Anywhere Monitor

10.0 CVE-2025-42890 BC-SYB-SQA-ADM Secret Management
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Critical insecure key and secret management vulnerability in SQL Anywhere Monitor (Non-Gui) allows unauthenticated remote attackers to compromise cryptographic secrets. Successful exploitation leads to complete system takeover with maximum impact on confidentiality, integrity, and availability across connected systems.

SAP Note 3666261 — patch within 24 hours.

Code Injection in SAP Solution Manager

9.9 CVE-2025-42887 SV-SMG-SVD-SWB Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Critical code injection vulnerability in SAP Solution Manager allows authenticated attackers with low privileges to inject and execute malicious code. The vulnerability has cross-scope impact enabling complete compromise of confidentiality, integrity, and availability across connected systems.

Technical Details: The vulnerability affects function module DSVAS_CHECK_SDCC_IMPORT_PARAMS in function group DSVAS_DEV_DL. Vulnerable component: SAP Solution Manager (ST) Release 720, correction instructions 0020751259 and 0001694331. The flaw allows parameter manipulation during import operations, enabling code injection through improperly validated BDLFUPIMP table entries where IS_DEFAULT is initial.

SAP Note 3668705 — immediate patching required.

High Priority Security Issues

Memory Corruption in SAP CommonCryptoLib

7.5 CVE-2025-42940 BC-IAM-SSO-CCL Memory Corruption
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Memory corruption vulnerability in SAP CommonCryptoLib allows unauthenticated remote attackers to cause denial of service conditions. As CommonCryptoLib is a foundational cryptographic library used across the SAP landscape, this vulnerability has widespread impact on availability of cryptographic operations.

SAP Note 3633049 — high priority patch within 48 hours.

Medium Priority Vulnerabilities

OS Command Injection in SAP Business Connector

6.8 CVE-2025-42892 BC-MID-BUS Command Injection
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

OS command injection vulnerability in SAP Business Connector allows high-privileged attackers on adjacent networks to execute arbitrary operating system commands leading to complete system compromise.

SAP Note 3665900 — schedule patch.

Code Injection in SAP HANA JDBC Client

6.9 CVE-2025-42895 HAN-DB-CLI Code Injection
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:H

Code injection vulnerability in SAP HANA JDBC Client allows high-privileged local attackers to inject malicious code with user interaction, resulting in cross-scope impact on availability and partial impact on confidentiality and integrity.

SAP Note 3643385 — medium priority.

Path Traversal in SAP Business Connector

6.8 CVE-2025-42894 BC-MID-BUS Path Traversal
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Path traversal vulnerability in SAP Business Connector enables high-privileged attackers on adjacent networks to access files outside intended directories, potentially leading to unauthorized data access and system compromise.

SAP Note 3666038 — apply patch.

JNDI Injection in NetWeaver Enterprise Portal

6.5 CVE-2025-42884 EP-PIN-APF-CAT JNDI Injection
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

JNDI injection vulnerability in SAP NetWeaver Enterprise Portal allows unauthenticated remote attackers to manipulate JNDI lookups, potentially leading to unauthorized information disclosure and data manipulation.

SAP Note 3660969 — maintenance window.

Reflected XSS in SAP Business Connector

6.1 CVE-2025-42886 BC-MID-BUS XSS
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reflected Cross-Site Scripting vulnerability in SAP Business Connector allows unauthenticated attackers to inject malicious scripts that execute in victims' browsers with cross-scope impact.

SAP Note 3665907 — apply update.

Open Redirect in SAP Business Connector

6.1 CVE-2025-42893 BC-MID-BUS Open Redirect
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Open redirect vulnerability in SAP Business Connector allows unauthenticated attackers to redirect users to malicious sites, enabling phishing attacks and credential theft with cross-scope impact.

SAP Note 3662000 — schedule update.

Open Redirect in SAP E-Recruiting

6.1 CVE-2025-42924 PA-ER Open Redirect
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Open redirect vulnerabilities in SAP S/4HANA E-Recruiting BSP component enable unauthenticated attackers to redirect users to external malicious sites for phishing and social engineering attacks.

SAP Note 3642398 — routine update.

Missing Authentication in SAP HANA hdbrss

5.8 CVE-2025-42885 HAN-DB-ENG Missing Auth
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Missing authentication vulnerability in SAP HANA 2.0 hdbrss component allows unauthenticated remote attackers to access sensitive information with cross-scope impact on confidentiality.

SAP Note 3639264 — apply fix.

Information Disclosure in SAP GUI for Windows

5.5 CVE-2025-42888 BC-FES-GUI Info Disclosure
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Information disclosure vulnerability in SAP GUI for Windows allows high-privileged local users to access sensitive information with cross-scope impact requiring user interaction.

SAP Note 3651097 — apply update.

SQL Injection in SAP Starter Solution

5.4 CVE-2025-42889 FI-LOC-SAF-PL SQL Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SQL injection vulnerability in SAP Starter Solution (PL SAFT) allows authenticated attackers with low privileges to manipulate SQL queries, leading to unauthorized data access and modification.

SAP Note 2886616 — schedule patch.

Information Disclosure in NetWeaver AS Java

5.3 CVE-2025-42919 BC-JAS-WEB Info Disclosure
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Information disclosure vulnerability in SAP NetWeaver Application Server Java allows unauthenticated remote attackers to access low-level sensitive information from the system.

SAP Note 3643603 — apply patch.

Information Disclosure in SAP Business One SLD

5.3 CVE-2025-42897 SBO-BC-SLD Info Disclosure
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Information disclosure vulnerability in SAP Business One Service Layer Discovery (SLD) component allows unauthenticated remote attackers to access sensitive system information.

SAP Note 3652901 — routine update.

Missing Authorization in NetWeaver ABAP

4.3 CVE-2025-42882 BC-DB-DB6 Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated users to access information beyond their authorization level.

SAP Note 3643337 — apply fix.

Missing Authorization in SAP S4CORE

4.3 CVE-2025-42899 FI-FIO-GL-TRA Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Missing authorization check in SAP S4CORE Manage Journal Entries application allows authenticated users with low privileges to access sensitive financial information.

SAP Note 3530544 — schedule update.

Low Priority Security Updates

Cache Poisoning in SAP Fiori for SAP ERP

3.1 CVE-2025-23191 OPU-GW-COR Cache Poisoning
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Cache poisoning vulnerability through header manipulation in SAP Fiori for SAP ERP allows authenticated attackers with low privileges to manipulate cached content under complex attack conditions.

SAP Note 3426825 — regular maintenance cycle.

Insecure File Operations in NetWeaver ABAP Migration Workbench

2.7 CVE-2025-42883 BC-SRV-DX-DXW File Operations
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Insecure file operations vulnerability in SAP NetWeaver Application Server for ABAP Migration Workbench allows high-privileged administrators to perform limited integrity impact operations.

SAP Note 3634053 — low priority update.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 11 November 2025.

© 2025 RedRays. Test patches in development environments before production deployment.

Explore More

SAP Security Advisory – CVE-2025-42890

November 12, 2025

Critical Hard-Coded Credentials Vulnerability in SQL Anywhere Monitor (Non-GUI) CVSS Score10.0 SeverityCRITICAL PriorityHotNews PublishedNov 11, 2025 🚨 Critical Alert IMMEDIATE ACTION REQUIRED: