[Vulnerability Alert] SAP Issues Major Security Advisory for 2 Products

• Subject: [Vulnerability Alert] SAP Issues Major Security Advisory for 2 Products
• Content:
  • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202511-00000009
  • [CVE-2025-42887, CVSS: 9.9] This vulnerability lacks an input sanitation mechanism, allowing an authenticated attacker to inject malicious code when calling remote function modules, affecting the confidentiality, integrity, and availability of the system.
  • [CVE-2025-42890, CVSS: 10.0] SQL Anywhere Monitor (Non-GUI) has a key and key management security vulnerability due to directly embedded credentials in the program, which could allow an unauthorized attacker to obtain system resources or execute arbitrary code, affecting the confidentiality, integrity, and availability of the system.
• Affected Platforms:
  • SAP Solution Manager ST 720 version
  • SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER 17.0 version
• Recommended Measures:
  • Please apply the resolution released by the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html
• References:
  • https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html

Computer and Communications Center
Network Systems Group