- CVE-2025-42887 in SAP Solution Manager allows unauthenticated code injection and full system takeover
- Vulnerability scored 9.9/10; fix released in SAP November 2025 update
- SAP also fixed CVE-2024-42890, a 10/10 flaw in SQL Anywhere Monitor
SAP Solution Manager, an application lifecycle management (ALM) platform with tens of thousands of user organizations, contained a critical severity vulnerability that allowed malicious actors to take full control of compromised endpoints, experts warned.
Security researchers SecurityBridge, who informed SAP after discovering the flaw, described it as a “missing input check” vulnerability, which allows unauthenticated threat actors to insert malicious code when calling a remotely activated function module.
“This could provide the attacker with full control of the system, thereby leading to a significant impact on the confidentiality, integrity and availability of the system,” explained the National Vulnerability Database (NVD).
SAP fixes a bug 10/10
The bug is now tracked as CVE-2025-42887 and has received a severity score of 9.9/10 (critical).
A fix is now publicly available and, although SAP users have been informed about it previously, the researchers are once again urging everyone to apply it as quickly as possible, as the risk will only increase in the future:
“A public patch for this vulnerability was released today, which could speed up reverse engineering and exploit development, so it is advisable to update it quickly,” SecurityBridge said in its announcement.
“When we discover a vulnerability that scores a priority rating of 9.9 out of 10, we know we are facing a threat that could give attackers complete control of the system,” said Joris van de Vis, director of security research at SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows code from a low-privileged user to be injected, leading to a complete compromise of SAP and all data contained in the SAP system. This code injection vulnerability in SAP Solution Manager represents exactly the type of critical attack surface weakness that our threat research labs are working tirelessly to identify and eliminate. SAP systems are the backbone of business operations, and vulnerabilities like this remind us why proactive security research is non-negotiable. »
The vulnerability was fixed as part of SAP’s November Patch Day, a cumulative update that fixes 18 new bugs and updates two previously observed bugs. In addition to the one mentioned above, SAP fixed a 10/10 flaw in the non-GUI variant of SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hardcoded credentials.
“SQL Anywhere Monitor (Non-GUI) embedded credentials in code, exposing resources or functionality to unintended users and providing attackers with the ability to execute arbitrary code,” the description states. SQL Anywhere Monitor is a database monitoring and alerting tool and part of the SQL Anywhere suite.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
