Advisory
SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3643385
was released on
11.11.2025 and deals with
"[CVE-2025-42895 ] Code Injection vulnerability in SAP HANA JDBC Client" within SAP HANA Client.
We advice you to follow the instructions, to resolve
command injection
with a
medium potential for exploitation
in component HAN-DB-CLI.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as monthly patch process.
Risk specification
SAP HANA JDBC Client allows an authenticated attacker with high privileges to provide crafted parameters, resulting in unauthorized code loading or execution.Solution
This correction introduces sufficient validation of connection property values by requiring a new JRM system property to be explicitly set before the JDBC client executes the method specified by the connection property. Alternativly, the consulting team has proposed the following: "Restrict configuration control to authenticated users, validate all connection parameters, and ensure the application only loads code from approved and trusted sources.". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 6.9 score.
- 9.9 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
- 7.2 [CVE-2020-6191] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
- 7.2 [CVE-2020-6234] Privilege Escalation in SAP Host Agent
