- 242/2025
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, such as SAP SQL Anywhere Monitor (Non‑GUI), SAP Solution Manager, SAP NetWeaver, SAP HANA, SAP Business Connector, SAP S/4HANA (E‑Recruiting BSP), SAP Business One, SAP GUI for Windows, and SAP CommonCryptoLib.
The attacker could exploit some of these vulnerabilities to perform denial of service attacks, conduct cross‑site scripting and open‑redirect attacks, perform directory traversal and manipulate system files, obtain sensitive information, bypass security restrictions, perform SQL injection, execute arbitrary commands, and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. SAP SQL Anywhere Monitor (Non‑GUI) Insecure Key & Secret Management Vulnerability (CVE‑2025‑42890):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. SAP CommonCryptoLib Memory Corruption Vulnerability (CVE-2025-42940):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.