SAP Security Notes, November 2025
Hot news note 3666261 patches a critical code execution vulnerability in SAP SQL Anywhere. The correction removes the SQL Anywhere Monitor. The note recommends switching to the SQL Anywhere Cockpit for database administration.
Hot news note 3668705 addresses a code injection vulnerability in SAP Solution Manager arising from missing input validation for a vulnerable remote-enabled function module. The correction removes the vulnerability by sanitizing input entry, including rejecting some non-alphanumeric characters.
Note 3660659 was updated for a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. Corrections now include the prerequisite note 3670067 to increase the character limit in configuration values for VM properties. Additional hardening suggestions for optional classes and packages were also added to the note.
Note 3633049 patches a high-risk memory corruption vulnerability in the CommonCryptoLib – SAP Common Cryptographic Library (CCL). CCL supports encryption, validation of digital certificates, and other functions in SAP solutions including NetWeaver AS ABAP and SAP HANA. The vulnerability can be exploited by attackers to trigger a denial of service. The correction improves boundary checks to prevent buffer overflows. CommonCryptoLib installations should be upgraded to version 8.5.60 or higher. CCL is included in some SAP components. The impacted components should also be upgraded to address the vulnerability. Note 3628110 includes details of the relevant components and recommended versions.