At a glance: SAP’s November Patch Day fixed 18 flaws, including a critical SQL Anywhere bug (CVE-2025-42890) allowing remote code execution. Field Effect MDR users are automatically alerted if affected and should review AROs in the Portal for remediation guidance.
On November 11, SAP released 18 security advisories as part of its monthly patch cycle. Of these, two are classified as critical, one as high severity, and the remaining advisories fall into medium and low-severity categories.
SAP also updated its earlier advisory on CVE-2025-42944, a max-severity flaw in SAP NetWeaver AS Java (SERVERCORE 7.50), reinforcing protections against insecure deserialization. This vulnerability enabled unauthenticated remote code execution through malicious payloads.
The most severe flaw this month, tracked as CVE-2025-42890, affects SQL Anywhere Monitor, a database monitoring and alerting tool used to oversee distributed or remote SQL Anywhere database environments.
The vulnerability affects the version of the tool that operates without a graphical user interface (non-GUI). Non-GUI versions are used for automated monitoring, and typically deployed on unattended systems where no user interaction is required. Because of this, it usually relies on preconfigured settings.
The noted vulnerability resulted from hardcoded credentials embedded in that component, which could be exploited if the service is exposed to a network. Unauthenticated threat actors could use it to execute malicious code remotely, which was reflected in its Common Vulnerability Scoring System (CVSS) v3.1 score of 10. The worst-case exploitation scenario includes full system compromise, enabling attackers to manipulate or exfiltrate sensitive enterprise data.
SAP’s advisory recommends discontinuing use of this component and deleting associated databases, directing customers to transition to alternatives such as SQL Anywhere Cockpit or SAP Solution Manager for monitoring requirements.
The second critical vulnerability, CVE-2025-42887, affects SAP Solution Manager (SolMan), which is SAP’s Application Lifecycle Management (ALM) platform.
This flaw, rated with a CVSS score of 9.9, allows any user with valid credentials to send malicious requests to a network-accessible function that does not properly validate input, which could allow for a threat actor to inject and execute malicious code remotely. If exploited, the attacker could escalate privileges and gain full administrative control of the affected system.
Solution Manager often has deep integration with core business systems and administrative functions. Its compromise could lead to complete SAP landscape takeover, data exfiltration, and operational disruption. The vulnerability is easy to exploit once an attacker has credentials, making insider threats or compromised accounts a significant concern.
There is no public indication of exploitation or proof-of-concept code for the noted vulnerabilities as of November 11, 2025. SAP has not disclosed whether these vulnerabilities were discovered internally or reported by external researchers.
Security teams are encouraged to review the full list of advisories from SAP’s November 2025 Patch Day and prioritize remediation of CVE-2025-42890 and CVE-2025-42944, as these flaws represent the highest risk and warrant immediate attention.
Field Effect’s Security Intelligence constantly monitors the cyber threat landscape for vulnerabilities discovered in software like this. Field Effect MDR users are notified if vulnerabilities are detected in their environment and are encouraged to review the AROs for remediation guidance, including patch verification steps and credential hygiene recommendations.