SAP Security Patch Day – November 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
With November’s SAP Security Patch Day – the second-to-last of the year – SAP published 25 Security Notes, including updates to previously released notes. Even as the calendar winds down, there’s no hibernation in SAP security: the number of patches remains consistently high, and so does the imperative to apply patches promptly to reduce exposure from known vulnerabilities!
Today’s landscapes change fast – spanning on-premise, cloud, and hybrid setups – and effective patch management is not as easy as “just patch.” Because of the complex nature and various components in the landscape, patching is often a tedious, time-consuming process, where applicable patches can be easily missed. At SecurityBridge, we understand the difficulties of patch management in the SAP landscape like no other. Our SecurityBridge Patch Management for SAP solution greatly helps to identify missing patches in your SAP landscape, providing clear visibility, impact analysis, and automated implementation. With a system-wide overview, the solution drastically shortens the time to implement missing patches and monitor threats in real-time, safeguarding your SAP landscape against emerging threats.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain. This continuous commitment often leads to the discovery of new vulnerabilities, which we responsibly disclose and resolve in close collaboration with SAP.
For this month’s release, we’re proud to share our latest discoveries:
- HotNews: note 3668705 – [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager
- Medium priority: note 3643337 – [CVE-2025-42882] Missing Authorization check in SAP NetWeaver Application Server for ABAP
- Low priority: note 3634053 – [CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)
SecurityBridge customers received an early warning about these discoveries on October 30th!
Security notes - November 2025
HotNews
Let’s start with HotNews, the highest-priority category. There are four notes in total — two newly released today and two updates.
Note 3666261 has been newly released and carries the highest possible score (CVSS score 10). It concerns the SQL Anywhere Monitor tool, an administration tool used for various components like SQL Anwhere databases, MobiLink server etc. The Monitor holds hard-coded credentials resuling in the HotNews priority. The solution is to apply the fix or apply a workaround by deleting the Monitor entirely. Note that the use of the Monitor has been discontinued, and the SQL Anywhere Cockpit should be used instead. See SQL Anywhere Cockpit.
Like last month, note 3660659 is again listed. The update concerns various updates on the workaround and additional hardening of SAP NetWeaver AS Java systems. Make sure to double check if you applied this note previously!
Note 3668705 describes how a remote-enabled function module can be misused to insert malicious code, resulting in full control of the system. There is no workaround, so patching is the only solution!
Note 3647332 was initially released last month and has been updated with additional version validities. Make sure to double check if your landscape requires this patch now for SAP SRM.
High-Priority Notes
We only have 2 High-priority notes this month. Although these are 1 category below HotNews, they are still important.
Note 3633049 describes a vulnerability in SAP CommonCryptoLib, used for various encryption tasks in SAP landscapes. A malicious actor can cause an application to crash. The solution is simple: apply the patch. However, CommonCryptoLib is used in various components which makes it more difficult to identity the complete patching scope. Make sure to check the components reference by note 3628110 to identify the components you need to update.
Note 3664466 has been released last month and has slightly updated.
Medium- and Low-Priority Notes
This Patch Tuesday, 19 notes fall into the Medium or Low categories. These are a mix of new and updated notes. See below for some highlights and for a full breakdown, scroll to the end of this post.
SAP Business Connector anyone?
Integration specialists that have been around for some time, may remember the SAP Business Connector as one of the earliest products for SAP integration scenarios. While many think that the Business Connector is since long dead and buried, the 4.8 version is actually still supported! In this month’s patch cycle, we find no less than 4 security notes: Note 3665900, 3666038, 3662000 and 3665907. It looks like someone in the security community has been busy with a special interest for the Business Connector…
SAP Security Notes November 2025
Highlights
A wide array of SAP Components to consider, including the SAP Business Connector.
Summary by Severity
The November release contains a total of 25 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 2 |
Medium | 16 |
Low | 3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3666261 | [CVE-2025-42890] Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui) Priority: HotNews Released on: 11/11/25 Components: BC-SYB-SQA-ADM Category: Program error | Hot News | 10.0 |
| 3660659 | [CVE-2025-42944] Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java Priority: HotNews Released on: 10/14/25 Components: BC-JAS-COR Category: Program error | Hot News | 10.0 |
| 3668705 | [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager Priority: HotNews Released on: 11/11/25 Components: SV-SMG-SVD-SWB Category: Program error | Hot News | 9.9 |
| 3647332 | [CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management Priority: HotNews Released on: 10/14/25 Components: SRM-UIA-SHP-BD Category: Program error | Hot News | 9.0 |
| 3633049 | [CVE-2025-42940] Memory Corruption vulnerability in SAP CommonCryptoLib Priority: Correction with high priority Released on: 11/11/25 Components: BC-IAM-SSO-CCL Category: Program error | High | 7.5 |
| 3664466 | [CVE-2025-5115] Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation) Priority: Correction with high priority Released on: 10/14/25 Components: CEC-SCC-COM-SRC-SER Category: Program error | High | 7.5 |
| 3643385 | [CVE-2025-42895 ] Code Injection vulnerability in SAP HANA JDBC Client Priority: Correction with medium priority Released on: 11/11/25 Components: HAN-DB-CLI Category: Program error | Medium | 6.9 |
| 3665900 | [CVE-2025-42892] OS Command Injection vulnerability in SAP Business Connector Priority: Correction with medium priority Released on: 11/11/25 Components: BC-MID-BUS Category: Program error | Medium | 6.8 |
| 3666038 | [CVE-2025-42894] Path Traversal vulnerability in SAP Business Connector Priority: Correction with medium priority Released on: 11/11/25 Components: BC-MID-BUS Category: Program error | Medium | 6.8 |
| 3660969 | [CVE-2025-42884] JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 11/11/25 Components: EP-PIN-APF-CAT Category: Program error | Medium | 6.5 |
| 3665907 | [CVE-2025-42886] Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector Priority: Correction with medium priority Released on: 11/11/25 Components: BC-MID-BUS Category: Program error | Medium | 6.1 |
| 3662000 | [CVE-2025-42893] Open Redirect vulnerability in SAP Business Connector Priority: Correction with medium priority Released on: 11/11/25 Components: BC-MID-BUS Category: Program error | Medium | 6.1 |
| 3597355 | [CVE-2025-42942] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 8/12/25 Components: BC-MID-ICF Category: Program error | Medium | 6.1 |
| 3642398 | [CVE-2025-42924] Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP) Priority: Correction with medium priority Released on: 11/11/25 Components: PA-ER Category: Program error | Medium | 6.1 |
| 3639264 | [CVE-2025-42885] Missing authentication in SAP HANA 2.0 (hdbrss) Priority: Correction with medium priority Released on: 11/11/25 Components: HAN-DB-ENG Category: Program error | Medium | 5.8 |
| 3651097 | [CVE-2025-42888] Information Disclosure vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 11/11/25 Components: BC-FES-GUI Category: Program error | Medium | 5.5 |
| 2886616 | [CVE-2025-42889] SQL Injection vulnerability in SAP Starter Solution (PL SAFT) Priority: Correction with medium priority Released on: 11/11/25 Components: FI-LOC-SAF-PL Category: Program error | Medium | 5.4 |
| 3652901 | [CVE-2025-42897] Information Disclosure vulnerability in SAP Business One (SLD) Priority: Correction with medium priority Released on: 11/11/25 Components: SBO-BC-SLD Category: Program error | Medium | 5.3 |
| 3643603 | [CVE-2025-42919] Information Disclosure vulnerability in SAP NetWeaver Application Server Java Priority: Correction with medium priority Released on: 11/11/25 Components: BC-JAS-WEB Category: Program error | Medium | 5.3 |
| 3627644 | [CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download) Priority: Correction with medium priority Released on: 9/9/25 Components: SV-SMG-SDD Category: Program error | Medium | 5.0 |
| 3643337 | [CVE-2025-42882] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 11/11/25 Components: BC-DB-DB6 Category: Program error | Medium | 4.3 |
| 3530544 | [CVE-2025-42899] Missing Authorization check in SAP S4CORE (Manage Journal Entries) Priority: Correction with medium priority Released on: 11/11/25 Components: FI-FIO-GL-TRA Category: Program error | Medium | 4.3 |
| 3617142 | [CVE-2025-31672] Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search) Priority: Correction with low priority Released on: 10/14/25 Components: BI-RA-WBI Category: Program error | Low | 3.5 |
| 3426825 | [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP Priority: Correction with low priority Released on: 2/11/25 Components: OPU-GW-COR Category: Program error | Low | 3.1 |
| 3634053 | [CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench) Priority: Correction with low priority Released on: 11/11/25 Components: BC-SRV-DX-DXW Category: Program error | Low | 2.7 |
