SAP’s November 2025 Security Patch Day, released on November 11, underscores the ongoing need for robust protection in enterprise environments, with 18 new security notes and two updates addressing flaws across key products.
Among these, several critical vulnerabilities involve code execution and injection risks, potentially allowing attackers to compromise sensitive systems without authentication.
These issues highlight the persistent threats to SAP landscapes, where unpatched software could lead to data breaches or operational disruptions. SAP urges customers to prioritize patches via the Support Portal to safeguard their infrastructure.
Critical Execution and Injection Flaws Exposed
The patch day features three critical vulnerabilities tied to execution and injection, each scoring high on the CVSS scale and posing severe risks.
CVE-2025-42890 affects SQL Anywhere Monitor (Non-GUI) in SYBASE_SQL_ANYWHERE_SERVER 17.0.
It involves insecure key and secret management, with hard-coded credentials that expose resources to unauthorized access.
This flaw, rated 10.0, enables attackers to gain complete system control, execute arbitrary code, and compromise the confidentiality, integrity, and availability of the network without user interaction.
An update to CVE-2025-42944 in SAP NetWeaver AS Java (SERVERCORE 7.50) tackles insecure deserialization, also at CVSS 10.0, allowing unauthenticated remote code execution via the RMI-P4 protocol.
Attackers can send malicious payloads to the P4 port, triggering gadget chains that execute commands with elevated privileges, often as root or SYSTEM.
Similarly, CVE-2025-42887 in SAP Solution Manager (ST 720) is a code-injection vulnerability scoring 9.9, exploitable by low-privilege users to inject malicious code via unsanitized input in remote-enabled functions.
Medium-severity issues compound the risks, including CVE-2025-42895 (code injection in SAP HANA JDBC Client, 6.9), CVE-2025-42892 (OS command injection in SAP Business Connector, 6.8), CVE-2025-42884 (JNDI injection in SAP NetWeaver Enterprise Portal, 6.5), and CVE-2025-42889 (SQL injection in SAP Starter Solution, 5.4).
These could enable data exfiltration, privilege escalation, or lateral movement in connected environments.
Patching Strategies and Best Practices
Organizations must act swiftly to mitigate these threats, starting with vulnerability scanning and patch deployment in staging environments.
For critical flaws like those in NetWeaver and Solution Manager, apply notes 3660659 and 3668705 immediately, as exploitation requires minimal effort and could target internet-facing systems.
When patching is delayed, implement network segmentation, turn off unnecessary services, and monitor for anomalous activity using tools such as SAP Solution Manager’s security features.
SAP’s updates also address memory corruption (CVE-2025-42940, 7.5) and path traversal (CVE-2025-42894, 6.8), emphasizing comprehensive testing to avoid disruptions.
Collaborating with SAP support ensures tailored remediation, while regular configuration audits prevent recurrence.
By prioritizing these patches, enterprises can maintain resilience against evolving threats in SAP ecosystems.
