Enterprise software program maker SAP on Tuesday introduced the discharge of 18 new and one up to date safety notice as a part of its November 2025 safety patches.
A very powerful of SAP’s November 2025 notes offers with CVE-2025-42890 (CVSS rating of 10/10), described as an insecure key and secret administration vulnerability in SQL Wherever Monitor.
The bug exists as a result of hardcoded credentials in SQL Wherever Monitor may very well be exploited to execute arbitrary code on the affected programs, impacting system confidentiality, integrity, and availability.
To resolve the problem, SAP eliminated SQL Wherever Monitor solely, in keeping with enterprise software safety agency Onapsis.
“As a short lived workaround, SAP recommends to cease utilizing SQL Wherever Monitor and to delete any situations of SQL Wherever Monitor database,” Onapsis notes.
On Tuesday, SAP additionally rolled out fixes for CVE-2025-42887 (CVSS rating of 9.9), a critical-severity code injection defect in Resolution Supervisor. The flaw exists as a result of a remote-enabled perform module didn’t sanitize person enter, permitting attackers to inject malicious code.
Moreover, the software program maker up to date a safety notice launched on October 2025 Safety Patch Day to harden protections in opposition to latest insecure deserialization flaws in NetWeaver AS Java. The notice tackles CVE-2025-42944, a safety defect with a CVSS rating of 10/10.
SAP’s contemporary patches additionally resolve CVE-2025-42940 (CVSS rating of seven.5), a high-severity reminiscence corruption vulnerability in CommonCryptoLib.Commercial. Scroll to proceed studying.
“Lacking boundary checks allow an attacker to ship malicious knowledge which might lead to reminiscence corruption adopted by an software crash,” Onapsis explains.
The remaining notes launched on SAP’s November 2025 Safety Patch Day handle medium- and low-severity bugs in HANA JDBC Consumer, Enterprise Connector, NetWeaver, S/4HANA panorama, HANA 2.0, SAP GUI for Home windows, Starter Resolution, Enterprise One, and S4CORE.
Between the October and November patches, SAP rolled out updates for six safety notes, together with an October 2025 notice that addresses a critical-severity unrestricted file add challenge in Provider Relationship Administration.
Tracked as CVE-2025-42910 (CVSS rating of 9.0), the defect might enable authenticated attackers to add probably malicious recordsdata. The up to date notice accommodates prolonged validity info.
SAP makes no point out of any of the patched vulnerabilities being exploited within the wild. Customers are suggested to use the safety notes as quickly as doable, as SAP flaws are a well-liked goal for risk actors.
Associated: QNAP Patches Vulnerabilities Exploited at Pwn2Own Eire
Associated: Chrome 142 Replace Patches Excessive-Severity Flaws
Associated: Cisco Patches Crucial Vulnerabilities in Contact Heart Equipment
Associated: Apple Patches 19 WebKit Vulnerabilities
