SAP fixed a maximum severity flaw in SQL Anywhere Monitor
Pierluigi Paganini
November 11, 2025
SAP fixed 19 security issues, including a critical flaw in SQL Anywhere Monitor with hardcoded credentials that could enable remote code execution.
SAP addressed 19 security vulnerabilities, including a critical flaw in SQL Anywhere Monitor, with the release of November 2025 notes.
The vulnerability, tracked as CVE-2025-42890 (CVSS score of 10/10), is an insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui). According to the advsory, hardcoded credentials in SQL Anywhere Monitor allow arbitrary code execution, threatening system confidentiality, integrity, and availability.
“SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.” reads the advisory. “This could cause high impact on confidentiality integrity and availability of the system.”
Experts advise discontinuing the use of SQL Anywhere Monitor and deleting all existing monitor database instances as a temporary workaround.
SAP also addressed a critical code injection vulnerability, tracked as CVE-2025-42887 (CVSS score of 9.9), in SAP Solution Manager. The flaw is due to missing input sanitation, an attacker can trigger the flaw to insert malicious code when calling a remote-enabled function module.
“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.” reads the advisory. “This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.”
SAP also released an update to the Security Note released on October 2025 Patch Day that addressed a critical security hardening for insecure deserialization in SAP NetWeaver AS Java tracked as CVE-2025-42944.
It is unclear if any of the security flaws addressed by the company this month have been actively exploited in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, SQL Anywhere Monitor)