CVE-2025-42890

Critical

Published: 11 November 2025

Published

11 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0010 26.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42890 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sap (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 prohibits embedding authenticators in software, directly preventing hard-coded credentials baked into SQL Anywhere Monitor as in this CVE.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of system flaws like this hard-coded credentials vulnerability via patching per SAP advisories.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege to limit the scope and impact of unauthorized access and arbitrary code execution enabled by the exposed credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability involves hard-coded credentials in a network-accessible service (SQL Anywhere Monitor), enabling unauthenticated remote arbitrary code execution, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.

Deeper analysisAI

CVE-2025-42890, published on 2025-11-11, affects SQL Anywhere Monitor (Non-GUI), where hard-coded credentials (CWE-798) are baked into the code. This exposes resources and functionality to unintended users, enabling the possibility of arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of prerequisites, and scope change.

Attackers can exploit this vulnerability remotely without privileges or user interaction. Exploitation allows arbitrary code execution, potentially leading to full system compromise across the affected environment.

SAP advisories provide mitigation guidance, including details in note 3666261 at https://me.sap.com/notes/3666261 and the SAP Security Patch Day page at https://url.sap/sapsecuritypatchday.