- CVE-2025-42887 in SAP Solution Manager allows unauthorized code injection and full system takeover
- Vulnerability scored 9.9/10; patch released in SAP November 2025 update
- SAP also fixed CVE-2024-42890, a 10/10 flaw in SQL Anywhere Monitor
SAP Solution Manager, an application lifecycle management (ALM) platform with tens of thousands of user organizations, carried a critical severity vulnerability that allowed threat actors to fully take over compromised endpoints, experts have warned.
Security researchers SecurityBridge, which notified SAP after discovering the flaw, described as a “missing input sanitization” vulnerability, which allows unauthorized threat actors to inject malicious code when calling a remotely activated function module.
“This could give the attacker full control over the system and thus lead to a major impact on the confidentiality, integrity and availability of the system,” explained the National Vulnerability Database (NVD).
SAP fixes a 10/10 bug
The bug is now tracked as CVE-2025-42887 and was given a severity score of 9.9/10 (Critical).
A patch is now publicly available, and while SAP’s users were previously notified, the researchers again encourage everyone to apply it as soon as possible, as the risk will only increase in the future:
“A public patch has been released for this vulnerability today, which may speed up reverse-engineering and exploit development, so patching soon is advised,” SecurityBridge said in its announcement.
“When we discover a vulnerability that gets a priority of 9.9 out of 10, we know we’re looking at a threat that can give attackers complete system control,” said Joris van de Vis, director of security research, SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows the injection of code from a low-privileged user, leading to a complete compromise of SAP and all data contained in the SAP system. This code injection vulnerability in SAP Solution Manager represents exactly the kind of critical attack surface weakness that our Threat Research Labs work tirelessly to identify and eliminate business and vulnerability systems like this backbone operation and SAP vulnerability. us, why proactive safety research is non-negotiable.”
The vulnerability was patched as part of SAP’s November Patch Day, a cumulative update that addressed 18 new ones and updates to two previously observed bugs. In addition to the one mentioned above, SAP fixed a 10/10 bug in the non-GUI variant of SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hard-coded credentials.
“SQL Anywhere Monitor (Non-GUI) baked credentials into code, exposed resources or functionality to unintended users, and allowed attackers to execute arbitrary code,” the description reads. SQL Anywhere Monitor is a database monitoring and alerting tool and part of the SQL Anywhere suite.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
