Cyber Posture

CVE-2025-42890

Critical

Published: 11 November 2025

Published
11 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0010 26.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-42890, published on 2025-11-11, affects SQL Anywhere Monitor (Non-GUI), where hard-coded credentials (CWE-798) are baked into the code. This exposes resources and functionality to unintended users, enabling the possibility of arbitrary code execution with high impact on confidentiality, integrity, and availability. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of prerequisites, and scope change.

Attackers can exploit this vulnerability remotely without privileges or user interaction. Exploitation allows arbitrary code execution, potentially leading to full system compromise across the affected environment.

SAP advisories provide mitigation guidance, including details in note 3666261 at https://me.sap.com/notes/3666261 and the SAP Security Patch Day page at https://url.sap/sapsecuritypatchday.

Details

CWE(s)
CWE-798

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability involves hard-coded credentials in a network-accessible service (SQL Anywhere Monitor), enabling unauthenticated remote arbitrary code execution, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References