SAP’s November 2025 Patch Day fixes two critical CVSS 10.0 vulnerabilities
Publication date: 2025-11-11
Introduction
SAP has released its Security Patch Day update, addressing a broad set of vulnerabilities across its enterprise product portfolio. A total of 18 new advisories were issued, covering components such as SQL Anywhere, Solution Manager, SAP HANA, NetWeaver, and the Business Connector. Two of these flaws are rated at the highest possible severity — CVSS 10.0 — and require immediate attention.
According to SAP’s advisory, these vulnerabilities could lead to arbitrary code execution, credential exposure, or full system compromise if left unpatched. The BaseFortify team has analyzed each CVE and prepared annotated reports that explain the technical impact, detection indicators, and remediation strategies in clear, actionable language.
Key vulnerabilities at a glance
| CVE | Component | CVSS | Description |
|---|---|---|---|
| CVE-2025-42890 | SQL Anywhere Monitor (Non-GUI) | 10.0 | Hard-coded credentials baked into the code expose resources and can enable arbitrary code execution, impacting confidentiality, integrity, and availability. |
| CVE-2025-42887 | Solution Manager | 9.9 | Missing input sanitation lets an authenticated attacker insert malicious code via a remote-enabled function module, potentially gaining full system control. |
| CVE-2025-42895 | SAP HANA JDBC Client | 6.9 | Insufficient validation of connection property values lets a high-privilege locally authenticated user load unauthorized code; high impact on availability. |
| CVE-2025-42885 | SAP HANA 2.0 (hdbrss) | 5.8 | Missing authentication allows an unauthenticated attacker to call a remote-enabled function and view information (low impact on confidentiality). |
| CVE-2025-42899 | S/4HANA Core (Manage journal entries) | 4.3 | Insufficient authorization checks allow an authenticated user to escalate privileges (low impact on confidentiality). |
| CVE-2025-42924 | S/4HANA landscape / SAP E-Recruiting BSP | 6.1 | Open redirect via crafted links could redirect victims to attacker-controlled pages (low impact on confidentiality and integrity). |
| CVE-2025-42888 | SAP GUI for Windows | 5.5 | Highly privileged local user could access sensitive information in process memory during runtime (high impact on confidentiality). |
| CVE-2025-42894 | Business Connector | 6.8 | Path traversal lets an adjacent, admin-level attacker read/write/delete arbitrary files and potentially execute OS commands (complete compromise possible). |
| CVE-2025-42884 | NetWeaver Enterprise Portal | 6.5 | JNDI injection allows access to unintended providers and could lead to data disclosure or modification (no availability impact). |
| CVE-2025-42919 | NetWeaver Application Server Java | 5.3 | Manipulated URLs allow access to internal metadata files, partially compromising confidentiality (no integrity/availability impact). |
| CVE-2025-42889 | Starter Solution | 5.4 | Authenticated attackers can execute crafted database queries exposing the backend database (low impact on confidentiality and integrity). |
| CVE-2025-42940 | CommonCryptoLib | 7.5 | Missing boundary checks during ASN.1 parsing can cause memory corruption and application crash (high impact on availability). |
| CVE-2025-42886 | Business Connector | 6.1 | Reflected XSS: malicious link execution in a victim’s browser context could expose or modify information (confidentiality/integrity impact). |
| CVE-2025-42897 | Business One (SLD) | 5.3 | Information disclosure in an anonymous API could expose unauthorized data (low confidentiality impact). |
| CVE-2025-42892 | Business Connector | 6.8 | OS command injection via specially crafted uploads processed by the application could lead to full system compromise. |
| CVE-2025-42893 | Business Connector | 6.1 | Open redirect displays attacker-controlled sites within an embedded frame, enabling data theft and unauthorized actions (no availability impact). |
| CVE-2025-42883 | NetWeaver AS ABAP (Migration Workbench) | 2.7 | Failure to trigger a malware scan on uploaded files allows administrative users to upload potentially malicious content (low integrity impact). |
| CVE-2025-42882 | NetWeaver AS ABAP | 4.3 | Missing authorization check lets authenticated users call a specific function module to retrieve restricted technical information. |
Technical insight and verification
Administrators can verify exposure by first identifying the versions of affected SAP components. Use the following commands from the system shell or SAP Management Console, then compare results to the fixed builds listed in SAP’s Security Notes:
# Check SAP HANA version
HDB info | grep "version"
# SQL Anywhere Monitor version (Linux/Unix)
dbversion -v
# For SAP Java-based systems
sappfpar version
# Business Connector version (example path)
grep -i version /opt/sap/BusinessConnector/config/version.txt
If your installation predates the patched release, your system remains vulnerable and must be updated immediately. Administrators should also review configuration files and user management for signs of compromise—especially unexpected administrative accounts or newly enabled remote-enabled function modules. These are common indicators following code injection or path traversal exploitation.
Risk impact and observations
CVE-2025-42890, which exposes hard-coded credentials, poses an extreme risk because it can allow unauthenticated remote access and arbitrary code execution. This can result in complete takeover of the affected environment. Likewise, CVE-2025-42887 in Solution Manager enables authenticated users to inject malicious code via remote-enabled modules, paving the way for lateral movement across connected systems. Even seemingly moderate-severity issues, such as those in the Business Connector or CommonCryptoLib, can be chained to cause data leakage, denial of service, or sustained operational downtime.
Recommended actions
Organizations should apply all available patches immediately and review internal update processes to ensure SAP systems remain current. After updating, audit credentials for hard-coded or reused values, restrict external access to management interfaces such as the Solution Manager Web UI and Business Connector Admin Console, enable logging, and monitor for anomalies like newly created users or unusual script activity. Validate patch success by rescanning affected components with your vulnerability management tooling.
How BaseFortify supports organizations
BaseFortify provides unified External Attack Surface Management (EASM) and Vulnerability Management (VM). This combined approach helps teams uncover exposed SAP services on the public internet, correlate them with internal component inventories, and automatically match components to active CVEs such as those listed above. Our annotated CVE reports — including CVE-2025-42890 and CVE-2025-42887 — provide technical context and step-by-step mitigation guidance. The platform prioritizes vulnerabilities by exposure level, exploitability, and impact, ensuring focus where it matters most.
Organizations can register for free and begin monitoring their environment today: https://basefortify.eu/register.
Resources
SAP Security Patch Day – November 2025 (Official)
SAP Security Notes Portal
BaseFortify CVE Report: CVE-2025-42890
BaseFortify CVE Report: CVE-2025-42887
SecurityOnline.info coverage