Ethical Hacking News
SAP has issued patches for a maximum severity flaw in its SQL Anywhere Monitor, which allows arbitrary code execution due to hardcoded credentials. The vulnerability, tracked as CVE-2025-42890 (CVSS score of 10/10), is considered highly impactful on system confidentiality, integrity, and availability.
The SAP SQL Anywhere Monitor has a maximum severity flaw (CVE-2025-42890) that allows arbitrary code execution due to hardcoded credentials. The vulnerability is highly impactful on system confidentiality, integrity, and availability with a CVSS score of 10/10. Hardcoded credentials allow attackers to execute arbitrary code, compromising the security of the system. A critical code injection vulnerability (CVE-2025-42887) in Solution Manager software could lead to full control of the system. A security hardening patch for insecure deserialization in SAP NetWeaver AS Java (CVE-2025-42944) is available to address this vulnerability.
SAP has recently released patches for a maximum severity flaw in its SQL Anywhere Monitor, which allows arbitrary code execution due to hardcoded credentials. The vulnerability, tracked as CVE-2025-42890 (CVSS score of 10/10), is considered highly impactful on system confidentiality, integrity, and availability.
According to the advisory issued by SAP, the hardcoded credentials in SQL Anywhere Monitor allow attackers to execute arbitrary code, compromising the security of the system. The vulnerability was identified due to a lack of secure key & secret management practices in the software.
The impact of this flaw is significant, as it could enable attackers to gain unauthorized access to the system, potentially leading to data breaches or other malicious activities. SAP has emphasized the importance of addressing this issue promptly and has advised users to take immediate action to patch the vulnerability.
In addition to the SQL Anywhere Monitor flaw, SAP has also addressed a critical code injection vulnerability (CVE-2025-42887) in its Solution Manager software. This vulnerability allows an attacker to inject malicious code when calling remote-enabled function modules, potentially leading to full control of the system.
Furthermore, SAP has released an update for its Security Note released on October 2025 Patch Day that addressed a critical security hardening for insecure deserialization in SAP NetWeaver AS Java (CVE-2025-42944). This vulnerability could allow attackers to inject malicious code into the system, compromising its integrity and availability.
It is worth noting that it is unclear whether any of these security flaws have been actively exploited in attacks in the wild. However, SAP's prompt release of patches for these vulnerabilities highlights the company's commitment to addressing potential security risks and protecting its customers' systems.
The incident serves as a reminder of the importance of regularly reviewing and patching software vulnerabilities to prevent exploitation by attackers. It also underscores the need for organizations to implement robust security measures, including secure key management practices, to protect their systems from potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-Addressing-Maximum-Severity-Flaw-in-SQL-Anywhere-Monitor-to-Prevent-Remote-Code-Execution-ehn.shtml
https://securityaffairs.com/184500/security/sap-fixed-a-maximum-severity-flaw-in-sql-anywhere-monitor.html
https://nvd.nist.gov/vuln/detail/CVE-2025-42890
https://www.cvedetails.com/cve/CVE-2025-42890/
https://nvd.nist.gov/vuln/detail/CVE-2025-42887
https://www.cvedetails.com/cve/CVE-2025-42887/
https://nvd.nist.gov/vuln/detail/CVE-2025-42944
https://www.cvedetails.com/cve/CVE-2025-42944/
Published: Tue Nov 11 15:29:38 2025 by llama3.2 3B Q4_K_M
