Cyber Resilience

CVE-2025-42890

Critical

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 30.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42890 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Sap (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-42890, published on 2025-11-11, affects SQL Anywhere Monitor (Non-GUI), where hard-coded credentials (CWE-798) are baked into the code. This exposes resources and functionality to unintended users, enabling the possibility of arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of prerequisites, and scope change.

Attackers can exploit this vulnerability remotely without privileges or user interaction. Exploitation allows arbitrary code execution, potentially leading to full system compromise across the affected environment.

SAP advisories provide mitigation guidance, including details in note 3666261 at https://me.sap.com/notes/3666261 and the SAP Security Patch Day page at https://url.sap/sapsecuritypatchday.

EU & UK References

Vulnerability details

SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability involves hard-coded credentials in a network-accessible service (SQL Anywhere Monitor), enabling unauthenticated remote arbitrary code execution, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36911Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2025-10850Shared CWE-798
CVE-2024-50688Shared CWE-798
CVE-2026-25202Shared CWE-798
CVE-2025-1393Shared CWE-798

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 prohibits embedding authenticators in software, directly preventing hard-coded credentials baked into SQL Anywhere Monitor as in this CVE.

prevent

SI-2 requires timely identification, reporting, and remediation of system flaws like this hard-coded credentials vulnerability via patching per SAP advisories.

prevent

AC-6 enforces least privilege to limit the scope and impact of unauthorized access and arbitrary code execution enabled by the exposed credentials.

References