SAP Patches Critical RCE and Injection Flaws
SAP rolled out a new set of patches addressing critical vulnerabilities that expose enterprise systems to remote code execution and injection attacks. The November Security Patch Day update includes 18 new security notes and two revisions, reinforcing SAP’s efforts to secure its product line. Among the most severe flaws is CVE-2025-42890, a critical vulnerability in SQL Anywhere Monitor that allows unauthenticated attackers to compromise system integrity and access credentials. Another threat, CVE-2025-42944, impacts SAP NetWeaver AS Java and targets insecure deserialization for remote code execution. SAP patches critical vulnerabilities such as these to prevent attackers from escalating privileges or deploying malicious payloads. Additional high- and medium-severity notes address code injection in SAP Solution Manager, OS command injection in Business Connector, and SQL injection in Starter Solution. SAP encourages clients to apply patches promptly and run security scans. For a detailed view of vulnerabilities and protective measures, read the full article at