:quality(90)/p7i.vogel.de/wcms/54/8e/548e06729e64ab74331ea12850e3f515/0127869338v2.jpeg "0127869338v2.jpeg")
Here’s a short introductory paragraph for the article, based on the provided HTML snippet:
staying ahead of security vulnerabilities is a constant battle for IT professionals. Major software vendors like Microsoft and Oracle regularly release patches to address newly discovered weaknesses, frequently enough following a predictable schedule. Understanding thes “Patchdays” – and the updates they bring – is crucial for maintaining system security and protecting against potential exploits. This article highlights recent and upcoming patch releases from both Microsoft and Oracle, offering insights into critical updates for IT security teams.
SAP Patchday November 2025
Hard-Coded Credentials Found in SAP SQL Anywhere Monitor
Providers on the topic
SAP is addressing 20 security vulnerabilities in its November patch release, including two with a critical CVSS score of 10.0. A particularly severe issue involves hard-coded credentials within the SQL Anywhere Monitor, and a deserialization flaw in Netweaver.
(Image: © Deemerwha studio – stock.adobe.com)
As the year draws to a close, SAP has released its penultimate Patchday update of the year. The November SAP Patchday reveals that five of the 20 security fixes address vulnerabilities in Netweaver. This core product from the software giant has consistently drawn attention from administrators and patch management teams in recent months.
:quality(80)/p7i.vogel.de/wcms/e9/25/e925c5c3434bfceb3d0ef1f0b44829ba/0127331278v2.jpeg "In SAP Netweaver, the Print Service, and Supplier Relationship Management, SAP must address critical security vulnerabilities. (Image: Dall-E / Vogel IT-Medien GmbH / AI-generated)")
Critical Vulnerabilities in SQL Anywhere Monitor and Solution Manager
The security vulnerability CVE-2025-42890, which SAP is addressing in its November Patchday, has the highest possible CVSS score of 10.0. CVE-2025-42890 causes the login information for SAP’s SQL Anywhere Monitor (Non-GUI) to be embedded in the code, allowing unauthorized access to resources and functions. Attackers could also execute arbitrary code. The research team at Onapsis points out that the patch for CVE-2025-42890 completely disables the SQL Anywhere Monitor. SAP also recommends temporarily disabling the solution if the patch cannot be applied promptly, and deleting all database instances. The timeframe for when the solution will be “cleared” for use is currently unknown. Removing hard-coded credentials is typically a complex process for developers, but applying a fix is usually straightforward for customers.
Another critical vulnerability is found in SAP’s Solution Manager. Due to a lack of input sanitization, the administration platform allows an authenticated attacker to inject malicious code when calling a remotely callable function module. This could grant the attacker complete control over the system.
:quality(80)/p7i.vogel.de/wcms/3d/b5/3db58ea8f9865203adc17e2d5a39defd/0126671638v2.jpeg "Wie schon bei den SAP Patchdays zuvor, ist auch im September Netweaver das Sorgenkind. (Bild: Dall-E / KI-generiert)")
:quality(80)/p7i.vogel.de/wcms/d9/41/d9410335aa54ea822dc98e0564a65219/0121658350v1.jpeg "The Microsoft Patchday is always on the second Tuesday of the month. (Image: Sahir_Stock - stock.adobe.com)")
