SAP has released its November 2025 Security Patch Day, addressing 18 new vulnerabilities, including several critical flaws. The most severe is a CVSS 10.0 flaw (CVE-2025-42890) in SQL Anywhere Monitor that allows for a complete system takeover. An update to another 10.0 flaw (CVE-2025-42944) for insecure deserialization in NetWeaver AS Java was also released.
Business Impact
These vulnerabilities in core SAP systems (ERP, NetWeaver, Solution Manager) are catastrophic. Attackers can gain unauthenticated remote access, execute arbitrary code, and completely compromise the company’s “crown jewels,” including financial, HR, and supply chain data.
Why It Happened
The flaws range from insecure key management and insecure deserialization to code injection, all of which are high-severity issues in complex, internet-facing enterprise applications that grant deep access if exploited.
Recommended Executive Action
This is an urgent patching priority. Direct your SAP administrators and security teams to apply these critical patches immediately, focusing first on internet-facing systems like NetWeaver Java portals and SAP Solution Manager.
Hashtags: #SAP #ERP #Vulnerability #RCE #CVSS10 #PatchNow #CyberSecurity #InfoSec #CVE
