SAP has released its November 2025 security updates, a critical patch batch addressing 18 new security notes and updating two previous ones1. Among the most severe vulnerabilities patched are a maximum-severity hardcoded credentials flaw in the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. These flaws, if left unpatched, could allow attackers to execute arbitrary code and gain complete control over affected systems, posing a significant risk to enterprise environments that rely on these SAP components.
For security leadership, the immediate takeaway is the need to prioritize the patching of three specific critical vulnerabilities. The SQL Anywhere Monitor flaw, CVE-2025-42890, is particularly concerning due to its maximum CVSS score of 10.0 and the fact that it requires no authentication to exploit. The resolution for this component is not a simple patch; SAP’s guidance, as reported by Onapsis, involves removing the SQL Anywhere Monitor entirely1. This patch cycle underscores the persistent targeting of SAP systems by threat actors and the necessity for rapid remediation to prevent system compromise.
Technical Breakdown of Critical Vulnerabilities
The November 2025 SAP Security Patch Day addresses several high-severity issues, but three stand out due to their critical nature and potential impact. CVE-2025-42890, a hardcoded credentials vulnerability in the non-GUI variant of the SQL Anywhere Monitor, carries a CVSS score of 10.0. The flaw involves administrative credentials that were baked directly into the component’s code, providing a direct path for unauthenticated attackers to access administrative resources and functionality. This access can then be leveraged to achieve arbitrary code execution. Given that SQL Anywhere Monitor is often deployed on unattended appliances as a database monitoring tool, a successful breach could grant attackers high-value access to core enterprise database environments1.
Another critical flaw, CVE-2025-42944, is an update to a security note initially released in October. This insecure deserialization vulnerability in the RMI-P4 module of SAP NetWeaver AS Java also holds a CVSS score of 10.0. An unauthenticated attacker can exploit this by submitting a malicious serialized payload to an open RMI-P4 port, leading to the execution of arbitrary operating system commands. This would grant the attacker full control over the server, with a high impact on confidentiality, integrity, and availability. Organizations that applied the original patch in October must apply the updated security note (3660659) to ensure complete protection1.
The third critical vulnerability, CVE-2025-42887, is a code injection flaw in SAP Solution Manager with a CVSS score of 9.9. This issue arises from insufficient input sanitization in a remote-enabled function module. An authenticated attacker can exploit this by calling the vulnerable module with malicious code, potentially gaining full control of the SAP Solution Manager platform. As Solution Manager acts as a central management hub for complex SAP environments, a compromise here could have widespread consequences across the entire SAP landscape. The fix is provided in SAP security note 36687051.
Remediation and Mitigation Strategies
For CVE-2025-42890 in SQL Anywhere Monitor, the remediation path is more drastic than a standard patch. According to analysis from Onapsis, SAP’s resolution involved removing the SQL Anywhere Monitor component entirely1. The official security note 3666261 provides the details for this action. As a temporary workaround, SAP recommends stopping the use of SQL Anywhere Monitor and deleting any associated database instances. This approach highlights the inherent risk of components with hardcoded credentials, which cannot be reliably secured through configuration changes alone.
For the other critical vulnerabilities, applying the relevant SAP security notes is the primary mitigation. System administrators should prioritize the following notes: 3660659 for the NetWeaver AS Java insecure deserialization flaw (CVE-2025-42944) and 3668705 for the Solution Manager code injection (CVE-2025-42887). Given that there is no current evidence of active exploitation in the wild, this provides a window of opportunity for organizations to patch before threats materialize. However, the historical precedent of SAP vulnerabilities being quickly reverse-engineered and weaponized after patch release means this window may be short1.
Additional Vulnerabilities and Broader Context
Beyond the three critical flaws, the November patch batch addresses several other high and medium-severity issues. These include CVE-2025-42940, a high-severity memory corruption vulnerability in SAP CommonCryptoLib with a CVSS score of 7.5 that could lead to application crashes. Another notable issue is CVE-2025-42895, a code injection flaw in the SAP HANA JDBC Client rated at CVSS 6.9. The patch also covers various medium-severity flaws, such as OS command injection, path traversal, JNDI injection, open redirects, and missing authorization checks in products like SAP Business Connector, NetWeaver Enterprise Portal, S/4HANA, and SAP GUI for Windows1.
The urgency for applying these patches is amplified by the critical role SAP systems play in enterprise operations and their history as high-value targets. The recent active exploitation of another critical SAP vulnerability, CVE-2025-42957, earlier in the year, as reported by SecurityBridge researchers, serves as a reminder of the real-world risks1. System administrators are strongly advised to treat this patch cycle with high priority, test the updates in non-production environments, and deploy them to production systems as soon as possible to mitigate the risk of compromise.
In conclusion, the SAP November 2025 Security Patch Day addresses a set of severe vulnerabilities that demand immediate attention. The hardcoded credentials flaw in SQL Anywhere Monitor is particularly severe due to its ease of exploitation and the required remediation action of component removal. The insecure deserialization in NetWeaver and code injection in Solution Manager further compound the risk landscape for SAP deployments. Proactive patch management and adherence to SAP’s specific guidance for each vulnerability are essential to maintaining the security posture of enterprise systems reliant on these critical business platforms.
References
- “SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor,” BleepingComputer, Nov. 11, 2025.
- “SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager,” SecurityWeek, Nov. 11, 2025.
- SAP Official Security Notes, November 2025 Patch Day.
- National Vulnerability Database, CVE-2025-42890.
- National Vulnerability Database, CVE-2025-42887.
