CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager

Hardcoded credentials in SQL Anywhere Monitor could allow attackers to execute arbitrary code on vulnerable deployments. The post SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager appeared first on SecurityWeek.

SAP vulnerabilities

Enterprise software maker SAP on Tuesday announced the release of 18 new and one updated security note as part of its November 2025 security patches.

The most important of SAP’s November 2025 notes deals with CVE-2025-42890 (CVSS score of 10/10), described as an insecure key and secret management vulnerability in SQL Anywhere Monitor.

The bug exists because hardcoded credentials in SQL Anywhere Monitor could be exploited to execute arbitrary code on the affected systems, impacting system confidentiality, integrity, and availability.

To resolve the issue, SAP removed SQL Anywhere Monitor entirely, according to enterprise application security firm Onapsis.

“As a temporary workaround, SAP recommends to stop using SQL Anywhere Monitor and to delete any instances of SQL Anywhere Monitor database,” Onapsis notes.

On Tuesday, SAP also rolled out fixes for CVE-2025-42887 (CVSS score of 9.9), a critical-severity code injection defect in Solution Manager. The flaw exists because a remote-enabled function module did not sanitize user input, allowing attackers to inject malicious code.

Additionally, the software maker updated a security note released on October 2025 Security Patch Day to harden protections against recent insecure deserialization flaws in NetWeaver AS Java. The note tackles CVE-2025-42944, a security defect with a CVSS score of 10/10.

SAP’s fresh patches also resolve CVE-2025-42940 (CVSS score of 7.5), a high-severity memory corruption vulnerability in CommonCryptoLib.

“Missing boundary checks enable an attacker to send malicious data which could result in memory corruption followed by an application crash,” Onapsis explains.

The remaining notes released on SAP’s November 2025 Security Patch Day address medium- and low-severity bugs in HANA JDBC Client, Business Connector, NetWeaver, S/4HANA landscape, HANA 2.0, SAP GUI for Windows, Starter Solution, Business One, and S4CORE.

Between the October and November patches, SAP rolled out updates for six security notes, including an October 2025 note that addresses a critical-severity unrestricted file upload issue in Supplier Relationship Management.

Tracked as CVE-2025-42910 (CVSS score of 9.0), the defect could allow authenticated attackers to upload potentially malicious files. The updated note contains extended validity information.

SAP makes no mention of any of the patched vulnerabilities being exploited in the wild. Users are advised to apply the security notes as soon as possible, as SAP flaws are a popular target for threat actors.

Related: QNAP Patches Vulnerabilities Exploited at Pwn2Own Ireland

Related: Chrome 142 Update Patches High-Severity Flaws

Related: Cisco Patches Critical Vulnerabilities in Contact Center Appliance

Related: Apple Patches 19 WebKit Vulnerabilities

Latest News

CYBERNEWSMEDIAPublisher