SecurityBridge has reported a critical security vulnerability in SAP systems, identified through its Threat Research Labs.
Revealed to customers on October 30, 2025, ahead of the public disclosure, this vulnerability has been rated a severe 9.9 out of 10, prompting immediate action for updating detection signatures.
The discovery is part of 25 new and updated vulnerabilities highlighted in SAP's November Patch Day notes.
Details of the vulnerability
The key concern, recorded under HotNews note 3668705 – [CVE-2025-42887], involves a code injection risk within SAP Solution Manager.
This issue arises from a misused remote-enabled function module, enabling attackers to gain full control over the affected system. The subsequent release of a public patch has the potential to accelerate exploit development, making prompt patching essential.
Additional findings
A medium-priority vulnerability is identified as note 3643337 – [CVE-2025-42882]
Alongside the critical vulnerability, two others were noted. A medium-priority vulnerability is identified as note 3643337 – [CVE-2025-42882], attributed to a missing authorisation check in SAP NetWeaver Application Server for ABAP 4.3.
A low-priority issue was noted under 3634053 – [CVE-2025-42883], dealing with insecure file operations in the same application server's Migration Workbench.
Expert insights
Joris van de Vis, Director of Security Research at SecurityBridge, emphasised the threat's severity, "When we discover a vulnerability that scores a 9.9 out of 10 priority rating, we know we're looking at a threat that could give attackers complete system control."
Van de Vis highlighted the risk of CVE-2025-42887 due to its potential for code injection via a low-privileged user, leading to a total system compromise.
History of vulnerability discoveries
SecurityBridge's Threat Research Labs has consistently identified critical SAP vulnerabilities
SecurityBridge's Threat Research Labs has consistently identified critical SAP vulnerabilities. In September 2025, they uncovered a major SAP S/4HANA code injection issue, also rated 9.9 in severity.
In August 2025, the team found three vulnerabilities, including two with 9.9 severity scores, such as the SAP Landscape Transformation (Analysis Platform) issue.
SecurityBridge's proactive measures
The company has proactively updated the SecurityBridge Platform to guard against known vulnerabilities. This includes enhancing Patch Management to provide detailed insights into current patching needs within SAP environments and a comprehensive overview of existing vulnerabilities.
SecurityBridge, creator of the Cybersecurity Command Center for SAP, announced that the SecurityBridge Threat Research Labs uncovered a critical SAP vulnerability rated a 9.9 out of 10 severity, and gave its customers advanced notice on October 30, 2025, to update detection signatures before the vulnerability was publicly disclosed.
In total, the Threat Research Labs uncovered three vulnerabilities that were among the 25 new and updated SAP Security Notes SAP published for its November Patch Day.
Contained in the SAP Patch Day alert, the HotNews note 3668705 – [CVE-2025-42887] Code Injection vulnerability in SAP Solution Manager describes how a remote-enabled function module can be misused to inject malicious code, resulting in complete system control.
Public patch
A public patch for this vulnerability has been released, which might speed up reverse-engineering and exploit development, so patching soon is advised.
In addition to the highest priority category discovered, the Threat Research Labs found the following two vulnerabilities, also released within the SAP Patch Day notes:
- Medium priority: note 3643337 – [CVE-2025-42882] Missing Authorisation check in SAP NetWeaver Application Server for ABAP 4.3
- Low priority: note 3634053 – [CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)
Code-injection vulnerability
"When we discover a vulnerability that scores a 9.9 out of 10 priority rating, we know we're looking at a threat that could give attackers complete system control," said Joris van de Vis, Director of Security Research, SecurityBridge.
"CVE-2025-42887 is particularly dangerous because it allows to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system.”
“This code-injection vulnerability in SAP Solution Manager represents exactly the kind of critical attack surface weakness that our Threat Research Labs work tirelessly to identify and eliminate. SAP systems are the backbone of business operations, and vulnerabilities like this remind us why proactive security research is non-negotiable."
Uncovering the most critical SAP vulnerabilities
The SecurityBridge Threat Research Labs has a history of uncovering the most critical SAP vulnerabilities:
- In September 2025, the company discovered a Critical SAP S/4HANA code injection vulnerability (CVE-2025-42957), rated 9.9 out of 10 in severity.
- In August 2025, the team discovered three vulnerabilities, two of which were rated 9.9 out of 10 in severity:
- [CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)
- [CVE-2025-42957] Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
- [CVE-2025-42946] Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)
The company has updated the SecurityBridge Platform to ensure customers are insulated from known vulnerabilities. SecurityBridge's Patch Management offers invaluable insights into existing patching gaps within SAP landscapes, a complete list of today’s new vulnerabilities, and an overview.
