[Vulnerability Alert] SAP Issues Major Security Advisory for 2 Products

Posted Date: 2025/11/18

Subject: [Vulnerability Alert] SAP Issues Major Security Advisory for 2 Products
Content:
- Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202511-00000009
- [CVE-2025-42887, CVSS: 9.9] This vulnerability lacks an input sanitation mechanism, allowing an authenticated attacker to inject malicious code when calling remote function modules, affecting the confidentiality, integrity, and availability of the system.
- [CVE-2025-42890, CVSS: 10.0] SQL Anywhere Monitor (Non-GUI) has a key and key management security vulnerability due to directly embedded credentials in the program, which could allow an unauthorized attacker to obtain system resources or execute arbitrary code, affecting the confidentiality, integrity, and availability of the system.
Affected Platforms:
- SAP Solution Manager ST 720 version
- SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER 17.0 version
Recommended Measures:
- Please apply the resolution released by the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html
References:
- https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html

Computer and Communications Center
Network Systems Group