Warning 10-point-serious vulnerability duo in SAP November patch

SAP has released a large-scale security update in November, including 18 new patches and two additional patches to previously published security notes. Notably, in this update there were three vulnerabilities assessed at serious level, of which two reached a maximum CVSS score of 10, directly affecting key SAP products which are widely deployed in the corporate environment.

The first serious vulnerability, CVE – 2025-42890, impacts SQL Anywhere Monitor – the Sybase – based database monitoring component. This is because the software has built-in authentication information in its source code, allowing unauthenticated attackers to exploit it remotely. If exploited, this vulnerability could result in arbitrary code execution or unauthorized access to sensitive database systems, seriously compromising the security, integrity and usability of the system.

The second vulnerability to CVSS 10 is CVE-2025-42944, which exists in the RMI-P4 module of SAP NetWeaver AS Java. The error stemmed from an unsafe deserialization mechanism, which allowed the attacker to send malicious payloads to open RMI ports to execute remote commands on the operating system. SAP said this was an extension of an earlier recommendation, reflecting the complexity and danger of the vulnerability. With NetWeaver AS Java in common use and sometimes exposed to the Internet, the risk of exploitation is considered very high if the system is not patched in time.

In addition, the CVE-2025-42887 vulnerability with CVSS 9.9 scores affected SAP Solution Manager version ST 720. The error arose due to a lack of input checks during remote function calls, allowing the authenticated attacker to insert and execute malicious code on the system. Successful deployment can result in the capture of full control of the Solution Manager – a key component in the enterprise’s SAP infrastructure administration.

In addition to serious vulnerabilities, SAP also patched many high-and medium-level issues on other products such as SALA HANA, NetWeaver, SS/4HANa, the Business Connector, and the SAAP GUI for Windows. The broad scope of influence of the November update suggests that the SAP ecosystem continues to be an attractive target of cyberattacks. Therefore, early deployment of security patches, especially with critical systems and Internet connectivity, is seen as essential measures to reduce risk and protect corporate infrastructure from increasingly sophisticated threats.