463/68 Thursday, November 13, 2025
SAP has released its November 2025 security updates, addressing a total of 19 vulnerabilities — including one Critical flaw (CVSS 10.0), tracked as CVE-2025-42890, affecting SQL Anywhere Monitor (Non-GUI). The vulnerability stems from insecure key and secret management due to hardcoded credentials embedded directly in the code. This flaw allows an attacker to access the system and execute remote code without authentication, posing a direct risk to the system’s confidentiality, integrity, and availability.
According to SAP’s Security Advisory, SQL Anywhere Monitor contains embedded credentials that allow unauthorized users to access restricted functions and execute malicious code. Security experts recommend temporarily disabling SQL Anywhere Monitor and deleting existing Monitor databases to prevent exploitation while awaiting updates. SAP has also patched another severe vulnerability, CVE-2025-42887 (CVSS 9.9), in SAP Solution Manager. This is a code injection vulnerability caused by insufficient input sanitization, enabling authenticated attackers to inject malicious code during the execution of remote-enabled functions.
Additionally, SAP has updated an earlier Security Note from October 2025 concerning an Insecure Deserialization vulnerability (CVE-2025-42944) in SAP NetWeaver AS Java, improving system hardening measures. As of now, there are no reports of these vulnerabilities being exploited in the wild, but SAP strongly advises administrators across all organizations to review and apply the latest security patches immediately to reduce the risk of future attacks.
