SAP has launched its November security updates that tackle a number of security vulnerabilities, together with a most severity flaw within the non-GUI variant of the SQL Anyplace Monitor and a important code injection concern within the Answer Supervisor platform.
The security downside in SQL Anyplace Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Due to the elevated danger, the vulnerability obtained the utmost severity rating of 10.0.
“SQL Anyplace Monitor (Non-GUI) baked credentials into the code, exposing the assets or performance to unintended customers and offering attackers with the potential for arbitrary code execution,” reads the outline for the flaw.
Relying on how they’re used, an attacker who obtains the credentials can use them to acceess administrative features.
SQL Anyplace Monitor is a database monitoring and alert software, a part of the SQL Anyplace suite, usually utilized by organizations managing distributed or distant databases.
The non-GUI monitor element is usually deployed on unattended home equipment the place it runs with out frequent human oversight.
The second important vulnerability, recognized as CVE-2025-42887, has a severity rating of 9.9 and impacts the SAP Answer Supervisor, a platform for software lifecycle administration.
“As a consequence of lacking enter sanitation, SAP Answer Supervisor permits an authenticated attacker to insert malicious code when calling a remote-enabled operate module,” reads the entry within the Nationwide Vulnerability Database.
“This might present the attacker with full management of the system therefore resulting in excessive affect on confidentiality, integrity and availability of the system.”
SAP Answer Supervisor is a centralized administration and monitoring platform for SAP environments, usually utilized by giant enterprises that function complicated networks encompassing ERP, CRM, and analytics options.
Within the context of the November 2025 security updates pack, SAP additionally launched fixes for one high-severity flaw (CVE-2025-42940) and 14 different medium-severity vulnerabilities.
Additionally, the German software program big launched updates for CVE-2025-42944, a important flaw in NetWeaver that was initially addressed final month.
SAP merchandise, extensively deployed throughout giant enterprises and entrusted with mission-critical knowledge, are frequent targets for menace actors looking for high-value entry.
Earlier this 12 months, SecurityBridge researchers reported energetic exploitation of a important code-injection vulnerability, tracked as CVE-2025-42957, affecting SAP S/4HANA, Enterprise One, and NetWeaver methods.
No energetic exploitation has been detected for the 2 important flaws that SAP fastened immediately, however system directors are suggested to use the accessible updates as quickly as potential and comply with the seller’s mitigation suggestions for CVE-2025-42890 and CVE-2025-42887 (accessible solely to account holders).
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
