Skip to content

SAP Security Patch Day – November 2025

🚨 Safe Tuesday with SNOK: SAP Security Patch Day – November 2025 The November SAP Security Patch Day is behind us! As every month, SAP has delivered a…

🚨 Safe Tuesday with SNOK: SAP Security Patch Day – November 2025

The November SAP Security Patch Day is behind us! As every month, SAP has delivered a set of fixes critical to the security of your SAP systems landscape.

On 11 November 2025, SAP published 18 new security notes and 2 updates to existing notes. This month, we need to pay particular attention to three critical vulnerabilities (CVSS 9.9 and 10.0!) requiring immediate attention.

The analysis below covers a detailed review of all published security notes, including exploitation mechanisms, recommended remediation actions, and available temporary workarounds for critical and high-severity vulnerabilities. This documentation has been prepared to support decisions on prioritising the update process in production SAP environments.

Critical priority

SAP Note: 3660659 (Update)

Title: Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java

CVE: CVE-2025-42944

Product: SAP NetWeaver AS Java

Version: SERVERCORE 7.50

Priority: Critical

CVSS: 10.0

Causes

The cause of the issue is unsafe deserialisation of JDK objects and third-party classes, which is not restricted by default in SAP NetWeaver AS Java. The system becomes vulnerable to remote code execution when specially crafted data is deserialised by the AS Java runtime environment.

Recommended resolution

To resolve this issue, a security patch must be applied that blocks unsafe JDK and third-party classes in SAP NetWeaver AS Java. The system should be updated to the latest available patch for version SERVERCORE 7.50 - the patch includes a configuration fix preventing unsafe deserialisation in the SAP NetWeaver AS Java runtime environment.

SAP Note: 3666261

Title: Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui)

CVE: CVE-2025-42890

Product: SQL Anywhere Monitor

Version: 17.0

Priority: Critical

CVSS: 10.0

Causes

SQL Anywhere Monitor (Non-GUI version) contained hard-coded credentials in the code, exposing resources or functionality to unauthorised users and giving attackers the ability to execute arbitrary code.

Recommended resolution

The resolution is the removal of SQL Anywhere Monitor.

Applying the fix will result in the removal of SQL Anywhere Monitor. In existing installations, databases located in the default installation directories will be deleted, along with any unloaded historical data made available.

The fix is available from SQL Anywhere 17.0 SP1 PL20 Build 8039 onwards.

Workaround

Users should stop using and remove any instances of the SQL Anywhere Monitor database (samonitor.db). Customers requiring monitoring functionality should migrate to SQL Anywhere Cockpit.

SAP Note: 3668705

Title: Code Injection vulnerability in SAP Solution Manager

CVE: CVE-2025-42887

Product: SAP Solution Manager

Version: 7.2

Priority: Critical

CVSS: 9.9

Causes

Due to a missing input sanitisation mechanism in SAP Solution Manager, an authenticated attacker can inject malicious code when calling a function module with a remote-enabled function feature. This can give the attacker full control over the system, leading to a high impact on the confidentiality, integrity, and availability of the system.

Recommended resolution

The issue has been fixed by adding a code snippet that sanitises input data, rejecting most non-alphanumeric characters. The resolution is implementation of Note 3668705.

SAP Note: 3633049

Title: Memory Corruption vulnerability in SAP CommonCryptoLib

CVE: CVE-2025-42940

Product: SAP CommonCryptoLib

Version: 8

Priority: High

CVSS: 7.5

Causes

SAP CommonCryptoLib does not perform the necessary boundary checks when parsing ASN.1 data (pre-authentication) transmitted over the network. This allows an attacker to send malicious data, which can lead to memory corruption and subsequently to an application crash. This results in a high impact on availability of the system. There is no impact on confidentiality or integrity.

Recommended resolution

The resolution to this issue is to update CommonCryptoLib to at least version 8.5.60. As some SAP environment components include CommonCryptoLib, please refer to SAP Note 3628110 for the appropriate patch levels for those components.

Medium Priority

SAP Note 3643385 | CVE-2025-42895 SAP HANA JDBC Client | CVSS: 6.9 | Code Injection vulnerability. Versions: HDB_CLIENT 2.0

SAP Note 3665900 | CVE-2025-42892 SAP Business Connector | CVSS: 6.8 | OS Command Injection vulnerability. Versions: SAP BC 4.8

SAP Note 3666038 | CVE-2025-42894 SAP Business Connector | CVSS: 6.8 | Path Traversal vulnerability. Versions: SAP BC 4.8

SAP Note 3660969 | CVE-2025-42884 SAP NetWeaver Enterprise Portal | CVSS: 6.5 | JNDI Injection vulnerability. Versions: EP-BASIS 7.50, EP-RUNTIME 7.50

SAP Note 3642398 | CVE-2025-42924 SAP S/4HANA landscape (SAP E-Recruiting BSP) | CVSS: 6.1 | Open Redirect vulnerabilities. Versions: S4ERECRT 100, 200, ERECRUIT 600-802

SAP Note 3662000 | CVE-2025-42893 SAP Business Connector | CVSS: 6.1 | Open Redirect vulnerability. Versions: SAP BC 4.8

SAP Note 3665907 | CVE-2025-42886 SAP Business Connector | CVSS: 6.1 | Reflected Cross-Site Scripting (XSS) vulnerability. Versions: SAP BC 4.8

SAP Note 3639264 | CVE-2025-42885 SAP HANA 2.0 (hdbrss) | CVSS: 5.8 | Missing authentication. Versions: HDB 2.00

SAP Note 3651097 | CVE-2025-42888 SAP GUI for Windows | CVSS: 5.5 | Information Disclosure vulnerability. Versions: BC-FES-GUI 8.00, 8.10

SAP Note 2886616 | CVE-2025-42889 SAP Starter Solution (PL SAFT) | CVSS: 5.4 | SQL Injection vulnerability. Versions: SAP_APPL 600-616, SAP_FIN 617-730, S4CORE 100-104

SAP Note 3643603 | CVE-2025-42919 SAP NetWeaver Application Server Java | CVSS: 5.3 | Information Disclosure vulnerability. Versions: ENGINEAPI 7.50, EP-BASIS 7.50

SAP Note 3652901 | CVE-2025-42897 SAP Business One (SLD) | CVSS: 5.3 | Information Disclosure vulnerability. Versions: B1_ON_HANA 10.0, SAP-M-BO 10.0

SAP Note 3530544 | CVE-2025-42899 SAP S4CORE (Manage Journal Entries) | CVSS: 4.3 | Missing Authorization check. Versions: S4CORE 104-108

SAP Note 3643337 | CVE-2025-42882 SAP NetWeaver Application Server for ABAP | CVSS: 4.3 | Missing Authorization check. Versions: SAP_BASIS 700-816

Low Priority

SAP Note 3426825 (Update) | CVE-2025-23191 SAP Fiori for SAP ERP | CVSS: 3.1 | Cache Poisoning through header manipulation vulnerability. Versions: SAP_GWFND 740-758

SAP Note 3634053 | CVE-2025-42883 SAP NetWeaver Application Server for ABAP (Migration Workbench) | CVSS: 2.7 | Insecure File Operations vulnerability. Versions: SAP_BASIS 700-816

Summary and Strategic Recommendations

The SNOK team supports its clients in the comprehensive implementation of SAP security patches, offering dedicated analysis, prioritisation, and deployment services for critical updates in production environments. The latest SAP Security Patch Day requires organisational mobilisation due to the identification of medium and low priority vulnerabilities, which, although not reaching maximum criticality, represent potential attack vectors threatening the confidentiality, integrity, and availability of systems.

Among the published notes are 14 Medium priority vulnerabilities, the highest of which is a code injection in the SAP HANA JDBC Client (CVSS 6.9). Many vulnerabilities also affect the SAP Business Connector (Path Traversal, OS Command Injection, XSS), requiring immediate attention given the risk of takeover or access to sensitive resources.

Over the coming days, organisations must carry out a comprehensive inventory of SAP resources, with particular focus on the SAP Business Connector 4.8 and SAP HANA JDBC Client 2.0 components, while simultaneously initiating update procedures for critical systems. Vulnerabilities related to missing authorisation checks in SAP NetWeaver AS ABAP and the SAP S4CORE component should also be verified.

Potential consequences of failing to implement these fixes include unauthorised data access, takeover of lower-priority systems, and breach of compliance requirements. Investment in rapid patching is essential for maintaining operational continuity and stability.

document.getElementById(“page”).classList.add(“newLayout”);

Would you like to see this in practice or discuss implementation for your organisation? Get in touch - we will respond within 48 hours.

Tematy: Safe Tuesday sap-security SAP S/4HANA SAP HANA

Get in touch