- CVE-2025-42887 in SAP Answer Supervisor permits unauthenticated code injection and full system takeover
- Vulnerability scored 9.9/10; patch launched in SAP’s November 2025 replace
- SAP additionally fastened CVE-2024-42890, a ten/10 flaw in SQL Anyplace Monitor
SAP Answer Supervisor, an software lifecycle administration (ALM) platform with tens of 1000’s of person organizations, carried a essential severity vulnerability that allowed menace actors to totally take over compromised endpoints, specialists have warned.
Safety researchers SecurityBridge, who notified SAP after discovering the flaw, described as a “lacking enter sanitation” vulnerability, which permits unauthenticated menace actors to insert malicious code when calling a remote-enabled operate module.
“This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system”, the National Vulnerability Database (NVD) explained.
SAP fixes a 10/10 bug
The bug is now tracked as CVE-2025-42887 and was given a severity score of 9.9/10 (critical).
A patch is now publicly available, and while SAP’s users were previously notified, the researchers are once again urging everyone to apply it as soon as possible since the risk is only going to get bigger going forward:
“A public patch for this vulnerability has been released today, which might speed up reverse-engineering and exploit development, so patching soon is advised,” SecurityBridge said in its announcement.
“When we discover a vulnerability that scores a 9.9 out of 10 priority rating, we know we’re looking at a threat that could give attackers complete system control,” said Joris van de Vis, Director of Security Research, SecurityBridge.
“CVE-2025-42887 is particularly dangerous because it allows to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system. This code-injection vulnerability in SAP Solution Manager represents exactly the kind of critical attack surface weakness that our Threat Research Labs work tirelessly to identify and eliminate. SAP systems are the backbone of business operations, and vulnerabilities like this remind us why proactive security research is non-negotiable.”
The vulnerability was fixed as part of SAP’s November Patch Day, a cumulative update that addressed 18 new and updates to two previously observed bugs. Besides the one mentioned above, SAP fixed a 10/10 flaw in the non-GUI variant of the SQL Anywhere Monitor. This bug is tracked as CVE-2024-42890 and is another case of hardcoded credentials.
“SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution,” the description reads. SQL Anywhere Monitor is a database monitoring and alert tool, and part of the SQL Anywhere suite.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our professional information, critiques, and opinion in your feeds. Ensure to click on the Comply with button!
And naturally you may also follow TechRadar on TikTok for information, critiques, unboxings in video kind, and get common updates from us on WhatsApp too.
