- CVE-2025-42887 in SAP Solution Manager allows unauthenticated code injection and complete system takeover
- The vulnerability obtained a score of 9.9/10; patch released in SAP November 2025 update
- SAP also fixed CVE-2024-42890, a 10/10 flaw in SQL Anywhere Monitor
SAP Solution Manager, an application lifecycle management (ALM) platform with tens of thousands of user organizations, had a critical severity vulnerability that allowed threat actors to completely take over compromised endpoints, experts warned.
Security researchers SecurityBridge, who notified SAP after finding the flaw, described it as a “missing input sanitization” vulnerability, which allows unauthenticated threat actors to insert malicious code by calling a remotely enabled function module.
“This could provide the attacker with full control of the system, which would have a high impact on the confidentiality, integrity and availability of the system,” explained the National Vulnerability Database (NVD).
SAP fixes a bug 10/10
The bug is now tracked as CVE-2025-42887 and has been assigned a severity score of 9.9/10 (critical).
A patch is now publicly available and, although SAP users were previously notified, researchers once again urge everyone to apply it as soon as possible, as the risk will only increase in the future:
“A public patch for this vulnerability was released today, which could accelerate reverse engineering and exploit development, so it is recommended that you apply a patch soon,” SecurityBridge said in its announcement.
“When we discover a vulnerability with a priority score of 9.9 out of 10, we know we are dealing with a threat that could give attackers complete control of the system,” said Joris van de Vis, director of security research at SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows code injection from a low-privileged user, leading to a complete compromise of SAP and all data contained in the SAP system. This code injection vulnerability in SAP Solution Manager represents exactly the type of critical attack surface weakness that our threat research labs work tirelessly to identify and eliminate. SAP systems are the backbone of business operations, and vulnerabilities like this remind us why Proactive security is non-negotiable.”
The vulnerability was fixed as part of SAP’s November Patch Day, a cumulative update that addressed 18 new bugs and updates to two previously observed bugs. In addition to the one mentioned above, SAP fixed a 10/10 bug in the non-GUI variant of SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hardcoded credentials.
“SQL Anywhere Monitor (without GUI) embedded credentials in the code, exposing resources or functionality to unwanted users and giving attackers the ability to execute arbitrary code,” the description reads. SQL Anywhere Monitor is a database monitoring and alerting tool and part of the SQL Anywhere package.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
