SAP disclosed a maximum severity flaw in SQL Anywhere Monitor (Non-GUI) Tuesday, which involved hard-coded credentials and could have led to arbitrary code execution.The flaw, tracked as CVE-2025-42890, has a CVSS score of 10 and was disclosed as part of SAP Security Patch Day for November 2025, along with 17 other new vulnerabilities.CVE-2025-42890 is due to credentials included in the code of SQL Anywhere Monitor, which could expose resources or functionality to unintended users, SAP said.SQL Anywhere Monitor is a browser-based tool that provides users with information about the health of their SQL Anywhere databases, according to the SAP website.Attackers could potentially exploit this vulnerability to execute arbitrary code, causing a “high impact on confidentiality integrity and availability of the system,” SAP wrote.The fix for CVE-2025-42890 completely removes SQL Anywhere Monitor, Onapsis noted in a blog post. SQL Anywhere users are recommended to stop using SQL Anywhere Monitor and delete any instances of SQL Anywhere Monitor as a workaround until a patch can be applied.SAP’s latest security notes also include a fix for a critical code injection vulnerability in SAP Solution Manager, tracked as CVE-2025-42887, which has a CVSS score of 9.9. This flaw stems from a lack of input sanitation that would allow an authenticated attacker to “insert malicious code when calling a remote-enabled function module,” SAP wrote.The patch prevents exploitation by adding an input check that rejects most non-alphanumeric characters, Onapsis noted. This vulnerability was discovered by SecurityBridge Threat Research Labs."CVE-2025-42887 is particularly dangerous because it allows [an attacker] to inject code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system," SecurityBridge Director of Security Research Joris van de Vis said in a statement provided to SC Media.A high-severity flaw tracked as CVE-2025-42940 was also patched, which is a memory corruption vulnerability affecting SAP CommonCryptoLib. The flaw has a CVSS score of 7.5 and could lead to a loss of application availability due to memory corruption errors and crashes. Due to a lack of necessary boundary checks, an unauthenticated attacker could send manipulated ASN.1 data over the network to cause a crash.SAP also updated a previous security note for a maximum severity SAP NetWeaver flaw, CVE-2025-42944, which was disclosed last month, adding a pre-requisite note and editing the workaround section, according to Onapsis.The medium-severity flaws patched included a code injection vulnerability in SAP HANA JDBC Client, a JNDI injection vulnerability in the SAP NetWeaver Enterprise Portal, and an OS command injection flaw, path traversal flaw, open redirect vulnerability and cross-site scripting (XSS) vulnerability in SAP Business Connector.Onapsis Research Labs contributed to seven of the SAP security notes published Tuesday, and SecurityBridge contributed to three of the notes, with SAP also crediting Splintersio, Anvil Secure, Tencent Security YUNDING Lab and independent researcher Rajan Kshedal for contributions to the November 2025 Security Patch Day.
Vulnerability Management, Patch/Configuration Management
SAP removes SQL Anywhere Monitor due to max severity security flaw

(Credit: monticellllo – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



