VỮNG MÃI MỘT NIỀM TIN

Critical Dual CVSS 10 Vulnerabilities Highlight SAP’s November Security Updates

  • 17/11/2025

 
 

SAP has released its November security patches, including 18 new fixes and 2 updates to previously published security notes. Notably, two vulnerabilities have been rated CVSS 10 and another critical flaw scored 9.9, all affecting essential components widely used across enterprise environments.

Sap.png

1. CVE-2025-42890 – Hardcoded Credentials in SQL Anywhere Monitor (CVSS 10)

This vulnerability affects SQL Anywhere Monitor, a Sybase-based database monitoring tool. Hardcoded credentials embedded in the source code allow unauthenticated attackers to:

  • Execute arbitrary code

  • Gain unauthorized access to sensitive database environments

  • Compromise the confidentiality, integrity, and availability of the system

2. CVE-2025-42944 – Unsafe Deserialization in SAP NetWeaver AS Java (CVSS 10)

Located in the RMI-P4 module, this flaw enables attackers to send malicious payloads to an exposed port, leading to remote command execution on the underlying OS.
SAP confirms this is an extended fix from a previous advisory, emphasizing ongoing reinforcement for Java-based systems. With NetWeaver heavily deployed in enterprise operations, unpatched or publicly exposed RMI services make this vulnerability extremely high-risk.

3. CVE-2025-42887 – Missing Input Validation in SAP Solution Manager ST 720 (CVSS 9.9)

An authenticated attacker could inject and execute malicious code through improperly validated remote function calls. Successful exploitation may lead to full system compromise, with significant impact on business operations and data integrity.

Other High and Medium Severity Fixes

The November update also addresses multiple vulnerabilities across SAP’s ecosystem, including:

  • CVE-2025-42940 – Memory corruption in CommonCryptoLib (CVSS 7.5)

  • CVE-2025-42895 – Code injection in SAP HANA JDBC Client (CVSS 6.9)

  • CVE-2025-42892/42894 – OS command injection & path traversal in SAP Business Connector (CVSS 6.8)

  • CVE-2025-42884 – JNDI injection in Enterprise Portal (CVSS 6.5)

  • CVE-2025-42924/42893 – Open redirect in S/4HANA and Business Connector (CVSS 6.1)

  • CVE-2025-42885 – Missing authentication in SAP HANA 2.0 (CVSS 5.8)

  • CVE-2025-42888 – Information disclosure in SAP GUI for Windows (CVSS 5.5)

  • CVE-2025-42899/42882 – Insufficient authorization checks in S4CORE & NetWeaver ABAP (CVSS 4.3)

  • CVE-2025-42883 – Unsafe file handling in ABAP Migration Workbench (CVSS 2.7)

DTG CORP Recommendations

Given the broad impact of SAP’s November updates, organizations should:

  • Apply all relevant patches immediately

  • Review exposed RMI services and network accessibility

  • Assess Internet-facing SAP components

  • Strengthen monitoring for suspicious activity

DTG CORP is ready to support enterprises in vulnerability assessment, patch deployment, and enhancing SAP environment security amid escalating cyber threats.

(Information referenced from WhiteHat)

News

Recruitment

Partner

Facebook

DTG CORP

Head Office
41 Tran Khac Chan Street, Cau Kieu Ward,
HCM City, Viet Nam
DTG Building
272-274 Hoa Hung Street, Hoa Hung Ward, HCM City, Viet Nam
Tel: (028) 3865 9999
Fax: (028) 3868 3639
Mail: info@dtgcorp.com.vn
Ha Noi Office
25 Nguyen Quoc Tri Street,
Yên Hoa Ward, Ha Noi City, Viet Nam
Tel: 0916868989
Hai Phong Office
BH01-56 Vinhomes Imperia, Bach Dang Street,
Hong Bang Ward, Hai Phong City, Viet Nam
Tel: 0912193833