SAP Patch Day brings 18 new security advisories

SAP held its monthly patch day on Tuesday and released 18 new security advisories. Two of these address security flaws that the Walldorf-based developers classify as critical security risks; one even reaches the maximum CVSS score of 10.

The overview page for the November Patch Day lists SAP lists the affected products with a brief vulnerability description. In SQL Anywhere Monitor (Non-GUI), there is a vulnerability concerning insecure management of keys and secrets (CVE-2025-42890, CVSS 10.0, Risk “critical”). The CVE entry specifies that credentials are hardcoded in the code, which can ultimately lead to the execution of injected malicious code.

Furthermore, authenticated attackers can inject malicious code into SAP Solution Manager (CVE-2025-42887, CVSS 9.9, Risk “critical”). According to the description attributes this to missing input validation and filtering. This is achieved when calling a function module from the network and leads to elevated access rights, with which attackers can take full control of the system. Finally, SAP CommonCryptoLib has a memory access vulnerability (CVE-2025-42940, CVSS 7.5, Risk “high”). With manipulated packets, attackers can cause a software crash and thus a denial-of-service, explains the vulnerability description.

Other, less severe security vulnerabilities

The other security advisories address vulnerabilities that are less severe. Admins should nevertheless check if they are running vulnerable instances and install the updates during the next maintenance window.

• Code Injection vulnerability in SAP HANA JDBC Client, CVE-2025-42895, CVSS 6.9, Risk “medium”
• OS Command Injection vulnerability in SAP Business Connector, CVE-2025-42892, CVSS 6.8, “medium”
• Path Traversal vulnerability in SAP Business Connector, CVE-2025-42894, CVSS 6.8, “medium”
• JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal, CVE-2025-42884, CVSS 6.5, “medium”
• Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP), CVE-2025-42924, CVSS 6.1, “medium”
• Open Redirect vulnerability in SAP Business Connector, CVE-2025-42893, CVSS 6.1, “medium”
• Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, CVE-2025-42886, CVSS 6.1, “medium”
• Missing authentication in SAP HANA 2.0 (hdbrss), CVE-2025-42885, CVSS 5.8, “medium”
• Information Disclosure vulnerability in SAP GUI for Windows, CVE-2025-42888, CVSS 5.5, “medium”
• SQL Injection vulnerability in SAP Starter Solution (PL SAFT), CVE-2025-42889, CVSS 5.4, “medium”
• Information Disclosure vulnerability in SAP NetWeaver Application Server Java, CVE-2025-42919, CVSS 5.3, “medium”
• Information Disclosure vulnerability in SAP Business One (SLD), CVE-2025-42897, CVSS 5.3, “medium”
• Missing Authorization check in SAP S4CORE (Manage Journal Entries), CVE-2025-42899, CVSS 4.3, “medium”
• Missing Authorization check in SAP NetWeaver Application Server for ABAP, CVE-2025-42882CVSS 4.3, “medium”
• Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench), CVE-2025-42883, CVSS 2.7, “low”

The Patch day from SAP in October was noticeably less extensive, with 13 security advisories. Of the security vulnerabilities, the developers classified three as critical.

(dmk)