CVE-2025-42887

critical

Description

Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.

References

References
More

https://hackread.com/sap-patch-cve-2025-42887-takeover-vulnerability/

https://www.securityweek.com/sap-patches-critical-flaws-in-sql-anywhere-monitor-solution-manager/

https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/

https://securityaffairs.com/184500/security/sap-fixed-a-maximum-severity-flaw-in-sql-anywhere-monitor.html

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3668705

Details

Source: Mitre, NVD

Published: 2025-11-11

Updated: 2025-11-12

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00047