Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN783 _____________________________________________________________________ DATE : 12/11/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html _____________________________________________________________________ SAP Security Patch Day - November 2025 This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. On 11th of November 2025, SAP security patch day saw the release of 18 new security notes. Further, there were 2 updates to previously released security notes. Note# Title Priority CVSS 3666261 [CVE-2025-42890] Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui) Product - SQL Anywhere Monitor (Non-Gui) Version(s) -SYBASE_SQL_ANYWHERE_SERVER 17.0 Critical 10.0 3660659 Update to Security Note released on October 2025 Patch Day: [CVE-2025-42944] Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java Product - SAP NetWeaver AS Java Version(s) - SERVERCORE 7.50 Critical 10.0 3668705 [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager Product - SAP Solution Manager Version(s) - ST 720 Critical 9.9 3633049 [CVE-2025-42940] Memory Corruption vulnerability in SAP CommonCryptoLib Product - SAP CommonCryptoLib Version(s) - CRYPTOLIB 8 High 7.5 3643385 [CVE-2025-42895] Code Injection vulnerability in SAP HANA JDBC Client Product - SAP HANA JDBC Client Version(s) - HDB_CLIENT 2.0 Medium 6.9 3665900 [CVE-2025-42892] OS Command Injection vulnerability in SAP Business Connector Product - SAP Business Connector Version(s) - SAP BC 4.8 Medium 6.8 3666038 [CVE-2025-42894] Path Traversal vulnerability in SAP Business Connector Product - SAP Business Connector Version(s) - SAP BC 4.8 Medium 6.8 3660969 [CVE-2025-42884] JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal Version(s) - EP-BASIS 7.50, EP-RUNTIME 7.50 Medium 6.5 3642398 [CVE-2025-42924] Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP) Product - SAP S/4HANA landscape (SAP E-Recruiting BSP) Version(s) - S4ERECRT 100, 200, ERECRUIT 600, 603, 604, 605, 606, 616, 617, 800, 801, 802 Medium 6.1 3662000 [CVE-2025-42893] Open Redirect vulnerability in SAP Business Connector Product - SAP Business Connector Version(s) - SAP BC 4.8 Medium 6.1 3665907 [CVE-2025-42886] Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector Product - SAP Business Connector Version(s) - SAP BC 4.8 Medium 6.1 3639264 [CVE-2025-42885] Missing authentication in SAP HANA 2.0 (hdbrss) Product - SAP HANA 2.0 (hdbrss) Version(s) - HDB 2.00 Medium 5.8 3651097 [CVE-2025-42888] Information Disclosure vulnerability in SAP GUI for Windows Product - SAP GUI for Windows Version(s) - BC-FES-GUI 8.00, 8.10 Medium 5.5 2886616 [CVE-2025-42889] SQL Injection vulnerability in SAP Starter Solution (PL SAFT) Product - SAP Starter Solution (PL SAFT) Version(s) - SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730, S4CORE 100, 101, 102, 103, 104 Medium 5.4 3643603 [CVE-2025-42919] Information Disclosure vulnerability in SAP NetWeaver Application Server Java Product - SAP NetWeaver Application Server Java Version(s) - ENGINEAPI 7.50, EP-BASIS 7.50 Medium 5.3 3652901 [CVE-2025-42897] Information Disclosure vulnerability in SAP Business One (SLD) Product - SAP Business One (SLD) Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0 Medium 5.3 3530544 [CVE-2025-42899] Missing Authorization check in SAP S4CORE (Manage Journal Entries) Product - SAP S4CORE (Manage Journal Entries) Version(s) - S4CORE 104, 105, 106, 107, 108 Medium 4.3 3643337 [CVE-2025-42882] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product - SAP NetWeaver Application Server for ABAP Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Medium 4.3 3426825 Update to Security Note released on February 2025 Patch Day: [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP Product – SAP Fiori for SAP ERP Version(s) – SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 Low 3.1 3634053 [CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench) Product - SAP NetWeaver Application Server for ABAP (Migration Workbench) Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Low 2.7 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================