- CVE-2025-42887 in SAP Solution Manager allows unauthenticated code injection and full system takeover
- Vulnerability rated 9.9/10; Patch released in SAP November 2025 update
- SAP also fixed CVE-2024-42890, a 10/10 bug in SQL Anywhere Monitor
SAP Solution Manager, an Application Lifecycle Management (ALM) platform with tens of thousands of user organizations, had a serious vulnerability that could allow attackers to take full control of compromised endpoints, experts warned.
Security researchers SecurityBridge, which notified SAP after discovering the flaw, described a “missing input control” vulnerability that could allow unauthenticated threat actors to inject malicious code by calling a remotely activated function module.
“This could give the attacker complete control over the system and therefore have a significant impact on the confidentiality, integrity and availability of the system,” according to the National Vulnerability Database (NVD).
SAP fixes a bug 10/10
The bug is now tracked as CVE-2025-42887 and has been assigned a severity rating of 9.9/10 (Critical).
A patch is now available to the public and although SAP users were previously informed, researchers again urge everyone to apply it as soon as possible as the risk will only increase in the future:
“A public patch for this vulnerability was released today, which may speed up reverse engineering and exploit development, so we recommend you apply it quickly,” SecurityBridge said in the announcement.
“When we discover a vulnerability that receives a priority value of 9.9 out of 10, we know that we are dealing with a threat that can give attackers complete control of the system,” said Joris van de Vis, director of security research at SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows code injection by a low-privileged user, which completely compromises SAP and all data in the SAP system. This code injection vulnerability in SAP Solution Manager represents exactly the type of critical attack surface vulnerabilities that our research labs work tirelessly to identify and fix. SAP systems are the backbone of business operations, so why we remind ourselves of security issues and security issues is important.
The vulnerability was addressed as part of SAP’s November Patch Day, a cumulative update that fixes 18 new bugs and updates two previously observed bugs. In addition to the bug reported above, SAP has fixed a 10/10 bug in the non-GUI variant of SQL Anywhere Monitor. This bug is registered as CVE-2024-42890 and is another case of hard-coded credentials.
“SQL Anywhere Monitor (non-GUI) has credentials embedded in its code, which exposes resources or functions to unwanted users and allows attackers to execute arbitrary code,” the description reads. SQL Anywhere Monitor is a database monitoring and alerting tool and part of the SQL Anywhere suite.
