SAP Security Notes, November 2025

November 2025 Notes

Summary and Highlights of the Month

Full details

The complete detail of the most relevant notes is as follows:

1. Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java (update) (3660659): SAP NetWeaver AS Java is vulnerable to remote code execution due to insecure deserialization of JDK and third-party classes. This update (v40 – November 11, 2025) strengthens security hardening for CVE-2025-42944 (CVSS 10.0 – Critical) by adding new prerequisites (SAP Note 3670067), removing outdated optional class disclaimers, and expanding hardening guidance. The fix blocks vulnerable classes and enforces deserialization restrictions in the AS Java runtime. Customers must ensure JVM version > 8u121, set element.resynch=DETECT in bootstrap.properties, and apply the referenced notes. A temporary workaround is to add the jdk.serialFilter parameter at JVM level, though SAP recommends applying the full correction. CVSS v3 Base Score 10/ 10 [CVE-2025-42944]
2. Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui) (3666261): A vulnerability in SQL Anywhere Monitor (Non-GUI) involved hard-coded credentials embedded within the code, potentially allowing unauthorized users to gain access and execute arbitrary code, impacting confidentiality, integrity, and availability. The issue arose because the Monitor, originally intended to replace Adobe Flash functionality, provided default database access that some environments failed to secure properly. The solution completely removes the SQL Anywhere Monitor and deletes associated databases in default locations, with historical data unloaded. The fix is available in SQL Anywhere 17.0 SP1 PL20 Build 8039. As a workaround, administrators should discontinue and delete any existing SQL Anywhere Monitor instances (samonitor.db) and transition to SQL Anywhere Cockpit for monitoring functionality. CVSS v3 Base Score 10/ 10 [CVE-2025-42890]
3. Code Injection vulnerability in SAP Solution Manager (3668705): An authenticated attacker could exploit missing input sanitation in a remote-enabled function module of SAP Solution Manager, enabling ABAP code injection (CVE-2025-42887) and potentially gaining full system control, resulting in high impact on confidentiality, integrity, and availability. The vulnerability is resolved by adding input sanitization logic that rejects non-alphanumeric characters. SAP recommends applying the provided correction instructions or support packages, as no workaround is available. CVSS v3 Base Score 9,9/ 10 [CVE-2025-42887]
4. Memory Corruption vulnerability in SAP CommonCryptoLib (3633049): A vulnerability in SAP CommonCryptoLib allows an attacker to send specially crafted ASN.1 data during pre-authentication, causing memory corruption and application crashes due to missing boundary checks (CVE-2025-42940). This flaw impacts availability but not confidentiality or integrity. The issue is resolved by enhancing boundary validation — users should upgrade to CommonCryptoLib version 8.5.60 or higher. Refer to SAP Notes 3628110 and 3677814 for patch details. No workaround is available. CVSS v3 Base Score 7,5/ 10 [CVE-2025-42940]

Reference links

Other references, from SAP and Onapsis (november):

SAP Security Patch Day – November 2025

SAP Patch Day: November 2025 – Onapsis

Resources affected