【資安漏洞預警】SAP針對旗下2款產品發布重大資安公告

【行政公告】

公告單位	圖資處數位服務組
訊息類別	行政公告行政公告	公告對象	全體
公告主題	【資安漏洞預警】SAP針對旗下2款產品發布重大資安公告 [Security Vulnerability Alert] SAP Issues Major Cybersecurity Announcement Regarding Two of Its Products
公告內容	轉發　台灣電腦網路危機處理暨協調中心資安訊息警訊 TWCERTCC-200-202511-00000009 [內容說明] 【CVE-2025-42887，CVSS：9.9】此漏洞缺少輸入清理機制，允許經過身分驗證的攻擊者呼叫遠端功能模組時，植入惡意程式碼，影響系統的機密性、完整性和可用性。【CVE-2025-42890，CVSS：10.0】 SQL Anywhere Monitor (Non-GUI) 存在金鑰和金鑰管理安全漏洞，該漏洞源於程式中直接嵌入憑證，可能使未經授權的攻擊者取得系統資源或執行任意程式碼，影響系統的機密性、完整性和可用性。 [影響平台] ● SAP Solution Manager ST 720版本 ● SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER 17.0版本 [建議措施] 根據官方網站釋出的解決方式進行修補： https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html [參考資料] https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202511-00000009 [Content Description] 【CVE-2025-42887, CVSS: 9.9】 This vulnerability lacks input cleanup mechanisms, allowing authenticated attackers to inject malicious code when calling remote function modules, affecting system confidentiality, integrity, and availability. 【CVE-2025-42890, CVSS: 10.0】 SQL Anywhere Monitor (Non-GUI) has a key and key management security vulnerability. This vulnerability stems from directly embedding credentials in the program, potentially allowing unauthorized attackers to gain access to system resources or execute arbitrary code, affecting system confidentiality, integrity, and availability. [Affected Platforms] ● SAP Solution Manager ST version 720 ● SQL Anywhere Monitor (Non-Gui) SYBASE_SQL_ANYWHERE_SERVER version 17.0 [Recommended Actions] Patch according to the solutions released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html [References] https://www.twcert.org.tw/tw/cp-169-10505-efc69-1.html
相關訊息
公告時間	2025/11/17 至 2026/5/17	點閱次數	98