SAP November 2025 security update fixes critical vulnerabilities enabling remote code execution and injection
Take action: If you're running SAP products, review the list and prioritize patches. First priority is patching and hardening of SQL Anywhere Monitor, SAP NetWeaver AS and SAP Solution Manager. Then all systems exposed to the internet. Ideally isolate all SAP systems from internet access unless they are needed in that use case.
Learn More
SAP has released its November 2025 Security Patch Day updates, patching multiple security vulnerabilities across its product ecosystem. The update patches 18 new security notes along with two updates to previously released security notes.
Vulnerabilities summary:
- CVE-2025-42890 (CVSS score 10) – Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui)
- CVE-2025-42944 (CVSS score 10) – Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java
- CVE-2025-42887 (CVSS score 9.9) – Code Injection vulnerability in SAP Solution Manager
- CVE-2025-42940 (CVSS score 7.5) – Memory Corruption vulnerability in SAP CommonCryptoLib
- CVE-2025-42895 (CVSS score 6.9) – Code Injection vulnerability in SAP HANA JDBC Client
- CVE-2025-42892 (CVSS score 6.8) – OS Command Injection vulnerability in SAP Business Connector
- CVE-2025-42894 (CVSS score 6.8) – Path Traversal vulnerability in SAP Business Connector
- CVE-2025-42884 (CVSS score 6.5) – JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal
- CVE-2025-42924 (CVSS score 6.1) – Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP)
- CVE-2025-42893 (CVSS score 6.1) – Open Redirect vulnerability in SAP Business Connector
- CVE-2025-42886 (CVSS score 6.1) – Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
- CVE-2025-42885 (CVSS score 5.8) – Missing authentication in SAP HANA 2.0 (hdbrss),
- CVE-2025-42888 (CVSS score 5.5) – Information Disclosure vulnerability in SAP GUI for Windows
- CVE-2025-42889 (CVSS score 5.4) – SQL Injection vulnerability in SAP Starter Solution (PL SAFT),
- CVE-2025-42919 (CVSS score 5.3) – Information Disclosure vulnerability in SAP NetWeaver Application Server Java
- CVE-2025-42897 (CVSS score 5.3) – Information Disclosure vulnerability in SAP Business One (SLD)
- CVE-2025-42899 (CVSS score 4.3) – Missing Authorization check in SAP S4CORE (Manage Journal Entries)
- CVE-2025-42882 (CVSS score 4.3) – Missing Authorization check in SAP NetWeaver Application Server for ABAP
- CVE-2025-23191 (CVSS score 3.1) – Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
- CVE-2025-42883 (CVSS score 2.7) – Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)
Organizations should consult the individual security notes for specific version information related to their deployments. Critical vulnerabilities affect SQL Anywhere Monitor 17.0, SAP NetWeaver AS Java SERVERCORE 7.50, and SAP Solution Manager ST 720. Additional affected products span SAP CommonCryptoLib version 8, SAP HANA JDBC Client 2.0, SAP Business Connector 4.8, SAP NetWeaver Enterprise Portal 7.50, S/4HANA versions 100-108, and numerous other SAP components across various version ranges.
Users should review security notes and apply patches.
As a mitigating measure, organizations that cannot immediately upgrade should implement compensating controls including restricting network access to affected components and using allowlists to limit Web interface exposure.
