Topics
Regions
Industries
SAP Security Patch Day November 2025: Three Critical Priority Fixes
Back to Content

Vendors Mentioned


Key Topics Discussed

SAP Security Patch Day November 2025: Three Critical Priority Fixes

Reading time: 2 mins

Key Takeaways

  • SAP released 20 security patch notes on November 11, including 18 new patches and two updates, with three rated as critical priority, emphasizing the need for immediate attention from customers.

  • The three crtitical priority security patches address vulnerabities affecting SQL Anywhere Monitor, SAP NetWeaver AS Java, and SAP Solution Manager.

  • Collaboration with independent vendors such as Onapsis and SecurityBridge is crucial, as they contribute to identifying and addressing security vulnerabilities, providing users with valuable insights and early warnings.

On November 11, SAP released 20 security patch notes, including 18 new security patches and two updated patches. The release was part of its monthly SAP Security Patch Day feature, which provides regular updates throughout the year.

This month, SAP rated three of the security patches as critical priority, while one is high priority, 14 are medium priority, and two are low priority. SAP encourages customers to visit its Support Portal to apply the patches accordingly.

Critical Priority Security Patches

SAP assigned a high priority to the following security notes based on the Common Vulnerability Scoring System (CVSS):

Explore related questions

what is this?
  1. The Insecure key and Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui), Note# 3666261, had a 10.00 out of 10.00 CVSS rating;
  2. The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java, Note# 3660659, had a 10.00 CVSS;
  3. The Code Injection vulnerability in SAP Solution Manager, Note# 3668705, had a 9.9 CVSS.

SAP reported that the Insecure key and Secret Management vulnerability affects the SYBASE_SQL_ANYWHERE_SERVER 17.0 version of SQL Anywhere Monitor (Non-Gui). According to CVE, which provides cybersecurity information, the vulnerability exposes “the resources or functionality to unintended users,” which provides “attackers with the possibility of arbitrary code execution.”

The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java—an update to a security note released in October—affects the SERVERCORE 7.50 version of SAP NetWeaver AS Java. CVE reported the deserialization vulnerability could allow an unauthenticated attacker to “exploit the system through the RMI-P4 module by submitting malicious payload to an open port.”

The Code Injection vulnerability in SAP Solution Manager affects the ST 720 version of SAP Solution Manager. CVE stated the vulnerability “allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.”

Research from Onapsis and SecurityBridge Contributed

Onapsis Research Labs (ORL) reported it contributed to seven of SAP Security Notes. These included:

  • OS Command Injection vulnerability in SAP Business Connector;
  • Path Traversal vulnerability in SAP Business Connector;
  • Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector;
  • Open Redirect vulnerability in SAP Business Connector;
  • JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal;
  • Open Redirect vulnerabilities in SAP S/4HANA landscape;
  • Missing authentication in SAP HANA 2.0 (hdbrss).

SecurityBridge, meanwhile, reported it contributed to three SAP Security Notes. These included the Code Injection vulnerability in SAP Solution Manager, Missing Authorization check in SAP NetWeaver Application Server for ABAP, and Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench).

What This Means for SAPinsiders  

  • Prioritize the critical patches. The three critical security patches affect SQL Anywhere Monitor, SAP NetWeaver AS Java, and SAP Solution Manager. SAP customers using these products should review the related security notes and apply patches as soon as possible. Moreover, customers should have and follow a regular patching strategy.
  • Older, specialized components carry some risk. November’s SAP Security Patch Day shows that legacy SAP components, like SAP Business Connector, and specialized tools, like SQL Anywhere Monitor, require more attention from cybersecurity professionals. Given that patches often disable these components, SAPinsiders should evaluate and consider disabling components that are not actively in use.
  • Pro-active vendors make a difference. While users can wait for SAP Security Patch Day, independent vendors like Onapsis and SecurityBridge identify, assess, and redress vulnerabilities related to their customers’ exposure. Working with, or following blogs and threat intelligence from, these vendors can offer organizations a head start on addressing potentially critical issues.

More Resources

See All Related Content

Become a Member

Unlimited access to thousands of resources for SAP-specific expertise that can only be found here.

Sign Up

Become a Partner

Access exclusive SAP insights, expert marketing strategies, and high-value services including research reports, webinars, and buyers' guides, all designed to boost your campaign ROI by up to 50% within the SAP ecosystem.

Sign Up

Upcoming Events

  1. SAPinsider Las Vegas 2026

     

    March 16 - 19, 2026

     

    Las Vegas, Nevada, NV

     
    Learn More
    View Event

Sign Up for the SAPInsider Weekly

Always have access to the latest insights with articles, Q&As, whitepapers, webinars, and podcasts. Gain the inside edge. The SAPinsider Weekly helps you stay SAP savvy. Access exclusive bonus materials, discounts, and more.

Get the Newsletter