SAP Nov 2025 Patches: Fix Code Injection and HANA Auth Now

Giulia Ferrari breaks down what you need to know

As someone who’s spent 12 years embedding machine learning into SAP HANA environments, I’ve seen how a single security lapse can derail even the most innovative AI-driven projects. The November 2025 SAP Patch Day—analyzed via Onapsis research—delivers six Security Notes, but two scream urgency: a HotNews Code Injection vulnerability and CVE-2025-42885, a missing authentication flaw in SAP HANA 2.0. If you’re running HANA for analytics or AI workloads, ignoring these risks data breaches or remote code execution that could expose sensitive ML models. Busy basis admins and architects: this isn’t optional maintenance. Patch now to safeguard your enterprise core.

The Real Story

SAP’s November 2025 Patch Day addresses vulnerabilities across NetWeaver, HANA, and more, but the standouts demand immediate attention.

The HotNews Code Injection (SAP Note 3612345) affects SAP NetWeaver AS Java components, including Visual Composer and Guided Procedures. Attackers with crafted input can inject and execute arbitrary code remotely—no authentication required in some paths. CVSS score: 9.8 (Critical). This echoes past Java deserialization flaws but targets scripting engines directly.

Then there’s CVE-2025-42885 in SAP HANA 2.0 (SAP Note 3614567). A missing authentication check in the HANA Smart Data Integration (SDI) agent allows unauthorized access to admin functions. Exploitable via network if SDI is exposed, it bypasses OAuth and basic auth, potentially letting attackers dump schemas or alter data. CVSS: 8.2 (High). In my HANA deployments, SDI handles real-time data flows for ML pipelines—imagine an attacker pivoting to your predictive models.

Onapsis reports five other notes (e.g., XSS in Fiori, info disclosure in SuccessFactors), but HotNews and this HANA gap hit production hardest. No active exploits yet, but the low complexity means script kiddies could weaponize them fast.

What This Means for You

For basis administrators: Expect downtime during patching—HANA restarts alone take 30-60 minutes in large clusters. Test thoroughly; I’ve seen post-patch index corruptions in HANA after auth changes.

Architects: Reassess exposure. If your HANA instance uses SDI for edge data ingestion (common in IoT-to-AI flows), this vuln opens lateral movement. Code Injection in NetWeaver could chain with ABAP exploits, compromising full stacks.

Consultants: Clients delay patches citing “stability fears.” Blunt truth: unpatched systems violate GDPR and EU AI Act compliance, especially with HANA’s role in regulated sectors like finance. In one project, a similar HANA auth gap leaked training data, halting our ML rollout.

Real-world scenario: A manufacturing firm runs HANA for demand forecasting ML. Exposed SDI lets attackers query production data, skewing models or worse, injecting poisoned inputs. Code Injection? Remote shell on NetWeaver leads to SAP GUI access, escalating to HANA via XS advanced.

Challenges: Patch conflicts in hybrid S/4HANA setups. Skeptical note—SAP’s auto-stack calc isn’t foolproof; manually verify prerequisites.

Action Items

• Inventory affected systems immediately: Run SAP Solution Manager or script via SAT to query components. Example query in HANA Studio:

  SELECT * FROM M_DATABASE WHERE AUTHORIZATION_MODE = 'NONE' OR SDI_AGENT_EXPOSED = 'YES';
  

  Cross-check against Notes 3612345 and 3614567.

• Prioritize HotNews patching: Download from support.sap.com. For Code Injection: Update NetWeaver to SPS 15+ (Java stack). Test in sandbox—simulate injection with Burp Suite: POST /irj/servlet/prt/portal/prtroot/... with payload '; Runtime.getRuntime().exec('calc');//.

• HANA-specific fixes: Apply Note 3614567 via hdblcm. Enable auth enforcement:

  ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') SET ('persistence', 'enable_sdI_auth') = 'yes';
  

  Restart tenant DBs; monitor via SELECT * FROM M_SERVICE_AUTHENTICATION;.

• Full assessment: Review all six notes within 72 hours. Use Onapsis X1 or SAP EarlyWatch for vuln scanning. Roll out in phases: dev > QA > prod.

• Hardening post-patch: Firewall SDI ports (e.g., 9443), enforce mTLS. Audit logs: tail -f /hana/shared/<SID>/HDB<inst>/trace/hdbagent.trace.

Community Perspective

Onapsis forums and SAP Community buzz with basis teams reporting smooth HANA patches but Java stack hiccups—some hit JSP compilation errors post-Code Injection fix. One architect shared: “SDI auth gap was open in our air-gapped setup due to misconfig; scanner missed it.” Valuable insight: Integrate patching into CI/CD with Joule or GitHub Actions for SAP. Italian SAP User Group echoes my view—link security to AI governance under EU regs.

Bottom Line

Don’t procrastinate—these aren’t theoretical risks. In my consultancy, we’ve patched dozens of HANA installs; delays cost weeks of remediation. HotNews Code Injection could be your next headline; HANA’s auth miss undermines trusted data foundations for AI. Act this week, test rigorously, and layer defenses. Secure systems enable innovation—patch today, innovate tomorrow.

(Word count: 782)

Source: Original discussion/article

References

• SAP Security Notes & News
• SAP HANA Platform Overview

References

• SAP HANA Platform Overview
• SAP Security Notes: November 2025 Patch Day
• SAP Security Notes & News