Hardcoded credentials in SQL Anywhere Monitor could allow attackers to execute arbitrary code on vulnerable deployments.
November 11, 2025 By Ionut Arghire
Enterprise software maker SAP on Tuesday announced the release of 18 new and one updated security note as part of its November 2025 security patches.
The most important of SAP’s November 2025 notes deals with CVE-2025-42890 (CVSS score of 10/10), described as an insecure key and secret management vulnerability in SQL Anywhere Monitor.
The bug exists because hardcoded credentials in SQL Anywhere Monitor could be exploited to execute arbitrary code on the affected systems, impacting system confidentiality, integrity, and availability.
To resolve the issue, SAP removed SQL Anywhere Monitor entirely, according to enterprise application security firm Onapsis.
“As a temporary workaround, SAP recommends to stop using SQL Anywhere Monitor and to delete any instances of SQL Anywhere Monitor database,” Onapsis notes.
On Tuesday, SAP also rolled out fixes for CVE-2025-42887 (CVSS score of 9.9), a critical-severity code injection defect in Solution Manager. The flaw exists because a remote-enabled function module did not sanitize user input, allowing attackers to inject malicious code.
Additionally, the software maker updated a security note released on October 2025 Security Patch Day to harden protections against recent insecure deserialization flaws in NetWeaver AS Java. The note tackles CVE-2025-42944, a security defect with a CVSS score of 10/10.
SAP’s fresh patches also resolve CVE-2025-42940 (CVSS score of 7.5), a high-severity memory corruption vulnerability in CommonCryptoLib.
“Missing boundary checks enable an attacker to send malicious data which could result in memory corruption followed by an application crash,” Onapsis explains.
The remaining notes released on SAP’s November 2025 Security Patch Day address medium- and low-severity bugs in HANA JDBC Client, Business Connector, NetWeaver, S/4HANA landscape, HANA 2.0, SAP GUI for Windows, Starter Solution, Business One, and S4CORE.
Between the October and November patches, SAP rolled out updates for six security notes, including an October 2025 note that addresses a critical-severity unrestricted file upload issue in Supplier Relationship Management.
Tracked as CVE-2025-42910 (CVSS score of 9.0), the defect could allow authenticated attackers to upload potentially malicious files. The updated note contains extended validity information.
