轉發　台灣電腦網路危機處理暨協調中心 資安訊息警訊 TWCERTCC-200-202511-00000009

[內容說明]
【CVE-2025-42887，CVSS：9.9】 此漏洞缺少輸入清理機制，允許經過身分驗證的攻擊者呼叫遠端功能模組時，植入惡意程式碼，影響系統的機密性、完整性和可用性。

【CVE-2025-42890，CVSS：10.0】 SQL Anywhere Monitor (Non-GUI) 存在金鑰和金鑰管理安全漏洞，該漏洞源於程式中直接嵌入憑證，可能使未經授權的攻擊者取得系統資源或執行任意程式碼，影響系統的機密性、完整性和可用性。

[影響平台]
● SAP Solution Manager ST 720版本
● SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER 17.0版本

[建議措施]
根據官方網站釋出的解決方式進行修補：
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html

[參考資料]
https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202511-00000009

[Content Description]
【CVE-2025-42887, CVSS: 9.9】 This vulnerability lacks input cleanup mechanisms, allowing authenticated attackers to inject malicious code when calling remote function modules, affecting system confidentiality, integrity, and availability.

【CVE-2025-42890, CVSS: 10.0】 SQL Anywhere Monitor (Non-GUI) has a key and key management security vulnerability. This vulnerability stems from directly embedding credentials in the program, potentially allowing unauthorized attackers to gain access to system resources or execute arbitrary code, affecting system confidentiality, integrity, and availability.

[Affected Platforms]
● SAP Solution Manager ST version 720
● SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER version 17.0

[Recommended Actions]
Patch according to the solutions released on the official website:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html

[References]
https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html