- CVE-2025-42887 in SAP Solution Manager allows unauthenticated code injection and complete system takeover.
- The vulnerability received a score of 9.9 out of 10; the patch was released in the November 2025 SAP update.
- SAP has also fixed CVE-2024-42890, a 10/10 bug in SQL Anywhere Monitor.
SAP Solution Manager, an application lifecycle management (ALM) platform with tens of thousands of user organizations, contained a vulnerability of critical severity that allowed attackers to completely take over control of compromised devices. endpointsexperts warned.
SecurityBridge security researchers, who notified SAP after discovering the vulnerability, described it as a “missing input sanitization” that allows unauthenticated attackers to insert malicious code when calling a function module with remote support.
“This could give an attacker complete control of the system, resulting in severe impacts on the confidentiality, integrity, and availability of the system,” explains the National Vulnerability Database (NVD).
SAP fixes bug 10/10
The issue is now tracked as CVE-2025-42887 and has a severity level of 9.9/10 (Critical).
The fix is now publicly available, and although SAP users have previously been notified, the researchers once again urge everyone to apply it as soon as possible as the risk will only increase in the future:
“A publicly available patch for this vulnerability was released today that may speed up reverse engineering and exploit development, so it is recommended that you apply the patch as soon as possible,” SecurityBridge said in a statement.
“When we discover a vulnerability that has a priority rating of 9.9 out of 10, we know we have a threat that could give attackers complete control of the system,” said Joris van de Wees, director of security research at SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows code injection from a low-privileged user, resulting in complete compromise of SAP and all data contained in the SAP system. This SAP Solution Manager code injection vulnerability is exactly the type of critical attack surface vulnerability that our threat research labs are working tirelessly to identify and mitigate. SAP systems are the backbone of business operations, and vulnerabilities like these remind us why proactive security investigations are necessary. non-negotiable.”
The vulnerability was patched as part of SAP's November update package, a cumulative update that addresses 18 new bugs and fixes two previously discovered bugs. In addition to the above, SAP has fixed the 10/10 bug in the non-GUI variant of SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hardcoded credentials.
“SQL Anywhere Monitor (without a GUI) embedded credentials in code, exposing resources or functionality to unwanted users and allowing attackers to execute arbitrary code,” the description states. SQL Anywhere Monitor is a database monitoring and alerting tool included in the SQL Anywhere package.
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
