- CVE-2025-42887 in SAP Solution Manager allows unauthenticated code injection and full system takeover
- Vulnerability scored 9.9/10; patch released in SAP’s November 2025 update
- SAP also fixed CVE-2024-42890, a 10/10 flaw in SQL Anywhere Monitor
SAP Solution Manager, an application lifecycle management (ALM) platform with tens of thousands of user organizations, carried a critical severity vulnerability that allowed threat actors to fully take over compromised endpoints, experts have warned.
Security researchers SecurityBridge, who notified SAP after finding the flaw, described as a “missing input sanitation” vulnerability, which allows unauthenticated threat actors to insert malicious code when calling a remote-enabled function module.
“This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system”, the National Vulnerability Database (NVD) explained.
SAP fixes a 10/10 bug
The bug is now tracked as CVE-2025-42887 and was given a severity score of 9.9/10 (critical).
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward:
“A public patch for this vulnerability has been released today, which might speed up reverse-engineering and exploit development, so patching soon is advised,” SecurityBridge said in its announcement.
"When we discover a vulnerability that scores a 9.9 out of 10 priority rating, we know we're looking at a threat that could give attackers complete system control," said Joris van de Vis, Director of Security Research, SecurityBridge.
"CVE-2025-42887 is particularly dangerous because it allows to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system. This code-injection vulnerability in SAP Solution Manager represents exactly the kind of critical attack surface weakness that our Threat Research Labs work tirelessly to identify and eliminate. SAP systems are the backbone of business operations, and vulnerabilities like this remind us why proactive security research is non-negotiable."
The vulnerability was fixed as part of SAP’s November Patch Day, a cumulative update that addressed 18 new and updates to two previously observed bugs. Besides the one mentioned above, SAP fixed a 10/10 flaw in the non-GUI variant of the SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hardcoded credentials.
"SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution," the description reads. SQL Anywhere Monitor is a database monitoring and alert tool, and part of the SQL Anywhere suite.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.