SAP Security Notes - 11/25 - SecurityBridge Cloud

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.
We hope you enjoy using it!

× Yikes, there is work to do!
This time we found critical correction advisiories. We count 24 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 24

System Types

Affected SAP© system types

_{Related note}
3660659

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-11

_{Released
on}
2025/10/14

Description
[CVE-2025-42944] Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java

Security Advisory

_{Related note}
3666261

_CVSS
10.0

_{Affected system
type}
Sybase platform

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42890] Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui)

Security Advisory

_{Related note}
3647332

_CVSS
9.0

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/10/14

Description
[CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management

Security Advisory

_{Related note}
3664466

_CVSS
7.5

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-11

_{Released
on}
2025/10/14

Description
[CVE-2025-5115] Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation)

Security Advisory

_{Related note}
3633049

_CVSS
7.5

_{Affected system
type}
ABAP Java HANA platform

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42940] Memory Corruption vulnerability in SAP CommonCryptoLib

Security Advisory

_{Related note}
3643385

_CVSS
6.9

_{Affected system
type}
SAP HANA Client

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42895 ] Code Injection vulnerability in SAP HANA JDBC Client

Security Advisory

_{Related note}
3666038

_CVSS
6.8

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42894] Path Traversal vulnerability in SAP Business Connector

Security Advisory

_{Related note}
3665900

_CVSS
6.8

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42892] OS Command Injection vulnerability in SAP Business Connector

Security Advisory

_{Related note}
3660969

_CVSS
6.5

_{Affected system
type}
Java

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42884] JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal

Security Advisory

_{Related note}
3662000

_CVSS
6.1

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42893] Open Redirect vulnerability in SAP Business Connector

Security Advisory

_{Related note}
3665907

_CVSS
6.1

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42886] Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector

Security Advisory

_{Related note}
3642398

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42924] Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP)

Security Advisory

_{Related note}
3597355

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/08/12

Description
[CVE-2025-42942] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3639264

_CVSS
5.8

_{Affected system
type}
SAP HANA Platform

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42885] Missing authentication in SAP HANA 2.0 (hdbrss)

Security Advisory

_{Related note}
3651097

_CVSS
5.5

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42888] Information Disclosure vulnerability in SAP GUI for Windows

Security Advisory

_{Related note}
2886616

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42889] SQL Injection vulnerability in SAP Starter Solution (PL SAFT)

Security Advisory

_{Related note}
3643603

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42919] Information Disclosure vulnerability in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3652901

_CVSS
5.3

_{Affected system
type}
SAP Business One

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42897] Information Disclosure vulnerability in SAP Business One (SLD)

Security Advisory

_{Related note}
3627644

_CVSS
5.0

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/09/09

Description
[CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download)

Security Advisory

_{Related note}
3530544

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42899] Missing Authorization check in SAP S4CORE (Manage Journal Entries)

Security Advisory

_{Related note}
3643337

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42882] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3617142

_CVSS
3.5

_{Affected system
type}
BI/BO platform

_Patchday
2025-11

_{Released
on}
2025/10/14

Description
[CVE-2025-31672] Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search)

Security Advisory

_{Related note}
3426825

_CVSS
3.1

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/02/11

Description
[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP

Security Advisory

_{Related note}
3634053

_CVSS
2.7

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

Description
[CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)

Security Advisory

Notifications

Severity

SAP© Security advisories 24

System Types

Affected SAP© system types

Related note 3660659

CVSS 10.0

Affected system type Java

Patchday2025-11

Released on2025/10/14

Related note 3666261

CVSS 10.0

Affected system type Sybase platform

Patchday2025-11

Released on2025/11/11

Related note 3647332

CVSS 9.0

Affected system type ABAP

Patchday2025-11

Released on2025/10/14

Related note 3664466

CVSS 7.5

Affected system type SAP Commerce Cloud

Patchday2025-11

Released on2025/10/14

Related note 3633049

CVSS 7.5

Affected system type ABAP Java HANA platform

Patchday2025-11

Released on2025/11/11

Related note 3643385

CVSS 6.9

Affected system type SAP HANA Client

Patchday2025-11

Released on2025/11/11

Related note 3666038

CVSS 6.8

Affected system type SAP Business Connector

Patchday2025-11

Released on2025/11/11

Related note 3665900

CVSS 6.8

Affected system type SAP Business Connector

Patchday2025-11

Released on2025/11/11

Related note 3660969

CVSS 6.5

Affected system type Java

Patchday2025-11

Released on2025/11/11

Related note 3662000

CVSS 6.1

Affected system type SAP Business Connector

Patchday2025-11

Released on2025/11/11

Related note 3665907

CVSS 6.1

Affected system type SAP Business Connector

Patchday2025-11

Released on2025/11/11

Related note 3642398

CVSS 6.1

Affected system type ABAP

Patchday2025-11

Released on2025/11/11

Related note 3597355

CVSS 6.1

Affected system type ABAP

Patchday2025-11

Released on2025/08/12

Related note 3639264

CVSS 5.8

Affected system type SAP HANA Platform

Patchday2025-11

Released on2025/11/11

Related note 3651097

CVSS 5.5

Affected system type SAP GUI / Frontend

Patchday2025-11

Released on2025/11/11

_{Related note}
3660659

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-11

_{Released
on}
2025/10/14

_{Related note}
3666261

_CVSS
10.0

_{Affected system
type}
Sybase platform

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3647332

_CVSS
9.0

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/10/14

_{Related note}
3664466

_CVSS
7.5

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-11

_{Released
on}
2025/10/14

_{Related note}
3633049

_CVSS
7.5

_{Affected system
type}
ABAP Java HANA platform

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3643385

_CVSS
6.9

_{Affected system
type}
SAP HANA Client

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3666038

_CVSS
6.8

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3665900

_CVSS
6.8

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3660969

_CVSS
6.5

_{Affected system
type}
Java

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3662000

_CVSS
6.1

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3665907

_CVSS
6.1

_{Affected system
type}
SAP Business Connector

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3642398

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3597355

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/08/12

_{Related note}
3639264

_CVSS
5.8

_{Affected system
type}
SAP HANA Platform

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
3651097

_CVSS
5.5

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-11

_{Released
on}
2025/11/11

_{Related note}
2886616

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-11

_{Released
on}
2025/11/11