Overview
SAP’s security patch day for November 2025 has seen the release of 20 OSS SAP security notes. Three notes have been classified as critical, one as high, fourteen as medium and two  as low based on CVSS v3.0 Rating.
Security Notes by CVSS v3 Base Score
Five notes have been released for:
- SAP NetWeaverÂ
Two notes have been released for:
• SAP NetWeaver AS Java
• SAP HANA Database
Single notes have been released for:
• SAP Solution Manage
• SAP Gateway Foundation
• SAP Sybase ASE
• SAP Single Sign-On
• SAP GUI for Windows
• SAP ERP HCM
• SAP NetWeaver Portal
• SAP Localization
• SAP Business One
• SAP Db2
• SAP Fiori for Finance
Security Notes by Product Category
Vulnerabilities: November 2025 Highlights
[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP(SAP Note 3426825)
Cached values belonging to the SAP OData endpoint in SAP Fiori for SAP ERP could be poisoned by modifying the Host header value in an HTTP GET request. An attacker could alter the values in the returned metadata redirecting them from the SAP server to a malicious link set by the attacker. Successful exploitation could cause low impact on integrity of the application.
[CVE-2025-42924] Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP) (SAP Note 3642398Â )
SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on availability.
[CVE-2025-42883] Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP(SAP Note 3634053Â )Â
Migration Workbench (“DX Workbench”) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application with no impact on confidentiality and availability.
[CVE-2025-42882] Missing Authorization check in SAP NetWeaver Application Server for ABAP(SAP Note 3643337Â )
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment details of the system could further assist this attacker to plan subsequent attacks. As a result, this vulnerability has a low impact on confidentiality, with no impact on the integrity or availability of the application.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
