Executive Summary
- SAP released 20 Security Notes this month (18 new, 2 updates to previously released security notes). Three are critical (two 10.0s and one 9.9).
- The most critical notes: SQL Anywhere Monitor (Non‑GUI) insecure key/secret management (CVSS 10.0); an AS Java hardening update for insecure deserialization (CVSS 10.0); and a Solution Manager code‑injection flaw (CVSS 9.9).
- The remaining notes are of Medium severity by CVSS: CommonCryptoLib DoS (7.5), EP JNDI injection (6.5), Web Container info disclosure (5.3), plus multiple S/4HANA & Business Connector issues.
- SAP also released patches for several low-severity vulnerabilities in AS Java, Enterprise Portal, Business One SLD, and HANA hdbrss, which nevertheless require attention.
Critical Vulnerabilities to Prioritize
November’s SAP Patch Tuesday brings 20 Security Notes, including 18 new and 2 updates to previously released security notes. Three of them are of critical severity, including two with the highest CVSS score of 10.0 and one at 9.9, focused on SQL Anywhere Monitor (Non‑GUI), NetWeaver AS Java hardening for insecure deserialization, and an SAP Solution Manager code injection flaw. The balance of clusters around Enterprise Portal, S/4HANA, Business Connector, and client components.
3666261 / CVE‑2025‑42890. SQL Anywhere Monitor (Non‑GUI): Insecure key & secret management.
This is one of those legacy corners you forget exists – the small web monitor that came with SQL Anywhere, still hiding in some Business One and mobile setups.
It uses hard-coded credentials, and that’s exactly as bad as it sounds. If the service is reachable, it’s instant compromise. No fancy chaining needed – just connect, log in, and you own the underlying database.
Most customers moved on to SAP Cockpit years ago, but we still see this component sitting quietly on internal hosts and DMZ boxes. If it’s up, shut it down.
| Priority | CVSS | Action |
|---|---|---|
| Critical | CVSS 10.0 | Apply vendor patches; treat exposed monitor endpoints as internet‑facing risk until updated. |
3660659 / CVE‑2025‑42944. SAP NetWeaver AS Java: Security hardening for insecure deserialization (RMI/P4).
This one matters to almost everyone. AS Java underpins Portal, PI/PO, GRC, and even parts of SolMan.
SAP finally closes a long-standing insecure deserialization gap in RMI/P4, the Java admin protocol that lets internal components talk to each other.
If an attacker can reach those ports, they can push a crafted payload and get remote code execution inside the Java stack. It’s that direct.
The patch adds a stricter jdk.serialFilter and a blocklist of risky classes. It’s config-based and needs a restart, but skipping it means you’re one exposed port away from an RCE.
| Priority | CVSS | Action |
|---|---|---|
| Critical | CVSS 10.0 | Implement the patch bundle and the jdk.serialFilter configuration; SAP references prerequisite Note 3670067. |
3668705 / CVE‑2025‑42887. SAP Solution Manager: Code injection in a remote‑enabled function module.
SolMan is the nerve center of most SAP landscapes – trusted RFCs everywhere, high-privilege users, and full visibility into production.
This note fixes a code-injection flaw in a remote-enabled function module. If someone has RFC access, they can execute arbitrary ABAP in SolMan.
From there, it’s trivial to pivot into connected systems. That’s why it scores 9.9 and why it should be patched now, not next cycle.
| Priority | CVSS | Action |
|---|---|---|
| Critical | CVSS 9.9. | Implement the correction or ST 720 support package noted; no workaround is provided. |
High‑Priority Notes (Medium by CVSS but High Operational Relevance)
3633049 / CVE‑2025‑42940. SAP CommonCryptoLib (CRYPTOLIB 8): DoS via memory corruption.
| Priority | CVSS | Action |
|---|---|---|
| High | 7.5 | Update to the fixed CCL build. |
3660969 / CVE‑2025‑42884. NetWeaver Enterprise Portal: JNDI injection.
Apply patches promptly; where patching lags, use a WAF/reverse proxy to block suspicious paths.
| Priority | CVSS | Action |
|---|---|---|
| High | 6.5 | Patch EP‑BASIS/EP‑RUNTIME and apply the RMI/P4 hardening note. Apply patches promptly; where patching lags, use a WAF/reverse proxy to block suspicious paths. |
3643603 / CVE‑2025‑42919. AS Java Web Container: Info disclosure via path manipulation.
| Priority | CVSS | Action |
|---|---|---|
| High | 5.3 | Patch ENGINEAPI/EP‑BASIS as listed. To address this threat, harden AS Java immediately using the jdk.serialFilter guidance (and prerequisite 3670067); restrict RMI/P4 exposure at the network edge, and apply patches. If patching is impossible, use a WAF/reverse proxy to block suspicious paths. |
3643385 / CVE‑2025‑42895. HANA JDBC Client: code injection chain requiring local context and privileges.
| Priority | CVSS | Action |
|---|---|---|
| High | 6.9 | Update HDB Client 2.0. |
HANA 2.0 (hdbrss) / CVE‑2025‑42885. Missing authentication exposure.
| Priority | CVSS | Action |
|---|---|---|
| High | 5.8 | Ensure the service is updated and not exposed. |
3652901 / CVE‑2025‑42897. SAP Business One SLD: information disclosure.
| Priority | CVSS | Action |
|---|---|---|
| High | 5.3 | Patch B1_ON_HANA 10.0 / SAP‑M‑BO 10.0. When remediating the vulnerability, verify that there’s no unauthenticated network exposure and apply all necessary updates. |
Other Issues (Medium / Low), Grouped
| Product | Patch, Note and CVSS | Description |
|---|---|---|
| Business Connector 4.8 | – OS command injection (3665900, CVSS 6.8) – Path traversal (3666038, CVSS 6.8) – Open redirect (3662000, CVSS 6.1) – Reflected XSS (3665907, CVSS 6.1) | Implement CoreFix 5 for BC 4.8.1 where referenced. Of these vulnerabilities, two require administrative privileges, and the other two are client-side/social-engineering prone. To protect against this threat, roll out Business Connector CoreFix 5 for 4.8.1 and validate that BC is not internet‑exposed. |
| S/4HANA and NetWeaver ABAP: Missing authorization | – S4CORE Manage Journal Entries (3530544, CVSS 4.3) – SAP_BASIS (3643337, CVSS 4.3) – ABAP Migration Workbench file handling (3634053, CVSS 2.7) | When addressing this vulnerability, transport to QA quickly and scan transports for risky objects before import. |
| Fiori (Update) | 3426825 (CVSS 3.1) | Cache poisoning through header manipulation |
| SAP GUI for Windows | 3651097 (CVSS 5.5) | Information disclosure |
| Starter Solution (PL SAFT) | 2886616 (CVSS 5.4) | SQL injection affecting multiple ECC/S4CORE stacks |
Operational Guidance
- Sequence: Criticals → Medium with AV:N/PR:N/UI:N → remaining Medium → Low.
- Use transport/code scanning to catch custom‑code regressions; evaluate optional AS Java class blocks in lower tiers first.
- If patching is delayed, apply compensating controls noted in SAP guidance: network ACLs for RMI/P4 and monitors, strict input validation at proxies, and increased logging for EP and BC endpoints.
Closing Thoughts
This cycle focuses on reducing the unauthenticated attack surface and closing gaps in older middleware. The faster you harden AS Java and de-risk BC endpoints, the lower the chance of exploitation and lateral movement within your SAP ecosystem.
