CVE-2025-42890

Published Nov 11, 2025

Last updated 11 days ago

CVSS critical 10.0
SAP

Overview

Description
SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.
Source
cna@sap.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

cna@sap.com
CWE-798

Social media

Hype score
Not currently trending

  1. CVE-2025-42890 (CVSS:10.0, CRITICAL) is Awaiting Analysis. SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended use..https://t.co/Y4WLasoNys #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    16 Nov 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️Vulnerabilidades en productos SAP ❗CVE-2025-42890 ❗CVE-2025-42944 ❗CVE-2025-42887 ➡️Más info: https://t.co/YEezsg2cT3 https://t.co/tGhhWUgkEE

    @CERTpy

    14 Nov 2025

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-42890: SAP SQL Anywhere Monitor hardcoded credentials (CVSS 10.0). Classic supply chain security failure exposing enterprise systems to trivial takeover. Patch: https://t.co/Eo5LEGllZO

    @gothburz

    12 Nov 2025

    76 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔴 CVE-2025-42890 - SAP SQL Anywhere Monitor Hardcoded Creds RCE SAP's monitoring tool shipped with hardcoded credentials enabling unauthenticated RCE—rated CVSS 10.0. What's brutal: CVE-2025-42890 is the marquee issue, but SAP also patched CVE-2025-42887 and CVE-2025-4294

    @the_c_protocol

    12 Nov 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #SAP: Patches 3 Critical Vulnerabilities (CVSS 10.0) Including RCE / Code Injection and Hardcoded Credentials affecting SQL Anywhere Monitor (Non-GUI), SAP NetWeaver AS Java, and SAP Solution Manager:(CVE-2025-42890, CVE-2025-42944, CVE-2025-42887): 👇 https://t.co/KgkaA6igjt

    @securestep9

    11 Nov 2025

    1315 Impressions

    3 Retweets

    8 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-42890 SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibilit… https://t.co/Z5mCSqvh99

    @CVEnew

    11 Nov 2025

    96 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-42890 pertains to Security Flaw in **SQL Anywhere Monitor (Non-GUI)** component. The core issue involves **hardcoded credentials** embedded within the application's source code or binaries. This misconfiguration or oversight allows unauthenticated attackers to access

    @CveTodo

    11 Nov 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CRITICAL: CVE-2025-42890 impacts SAP SQL Anywhere Monitor 17.0 (Non-GUI) — hard-coded creds enable remote code exec & full system compromise! Audit, restrict access, & prep for patches now. https://t.co/eKcl6Yzier... https://t.co/twni7rkO1y

    @offseq

    11 Nov 2025

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.CVE-2026-27689
  2. SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system.CVE-2026-27685
  3. SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.CVE-2026-24322
  4. SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.CVE-2026-23687
  5. Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.CVE-2026-23689

References

Sources include official advisories and independent security research.