嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要通读整篇文章,抓住主要内容。 文章主要讲的是SAP在11月发布了安全更新,修复了多个漏洞。其中有两个关键漏洞:一个是SQL Anywhere Monitor的CVE-2025-42890,另一个是Solution Manager的CVE-2025-42887。这两个漏洞的严重程度都很高,分别是10.0和9.9分。 SQL Anywhere Monitor的问题是硬编码的凭证,可能导致未授权访问和代码执行。Solution Manager的问题是输入过滤不足,可能被注入恶意代码,导致系统完全控制。 此外,SAP还修复了其他一些中高危漏洞,并且提到这些产品因为处理关键数据而常受攻击。虽然目前还没有检测到这两个新漏洞被利用的情况,但建议尽快更新。 总结的时候要注意控制字数,所以要简洁明了地涵盖主要漏洞及其影响。不需要详细的技术细节,只要点出关键点即可。 </think> SAP发布11月安全更新修复多处漏洞,包括SQL Anywhere Monitor非GUI版本的最高危硬编码凭证漏洞(CVE-2025-42890,评分10.0)和Solution Manager平台的关键代码注入问题(CVE-2025-42887,评分9.9)。 2025-11-11 15:46:24 Author: www.bleepingcomputer.com(查看原文) 阅读量:5 收藏
SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.
The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0.
"SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution," reads the description for the flaw.
Depending on how they are used, an attacker who obtains the credentials can use them to acceess administrative functions.
SQL Anywhere Monitor is a database monitoring and alert tool, part of the SQL Anywhere suite, typically used by organizations managing distributed or remote databases.
The non-GUI monitor component is typically deployed on unattended appliances where it runs without frequent human oversight.
The second critical vulnerability, identified as CVE-2025-42887, has a severity score of 9.9 and affects the SAP Solution Manager, a platform for application lifecycle management.
“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” reads the entry in the National Vulnerability Database.
“This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.”
SAP Solution Manager is a centralized management and monitoring platform for SAP environments, typically used by large enterprises that operate complex networks encompassing ERP, CRM, and analytics solutions.
In the context of the November 2025 security updates pack, SAP also released fixes for one high-severity flaw (CVE-2025-42940) and 14 other medium-severity vulnerabilities.
Also, the German software giant released updates for CVE-2025-42944, a critical flaw in NetWeaver that was initially addressed last month.
SAP products, widely deployed across large enterprises and entrusted with mission-critical data, are frequent targets for threat actors seeking high-value access.
Earlier this year, SecurityBridge researchers reported active exploitation of a critical code-injection vulnerability, tracked as CVE-2025-42957, affecting SAP S/4HANA, Business One, and NetWeaver systems.
No active exploitation has been detected for the two critical flaws that SAP fixed today, but system administrators are advised to apply the available updates as soon as possible and follow the vendor’s mitigation recommendations for CVE-2025-42890 and CVE-2025-42887 (accessible only to account holders).
7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
如有侵权请联系:admin#unsafe.sh