Sap Fixes Hardcoded Credentials Flaw In SQL Anywhere Monitor

SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.

The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0.

"SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution," reads the description for the flaw.

Depending on how they are used, an attacker who obtains the credentials can use them to acceess administrative functions.

SQL Anywhere Monitor is a database monitoring and alert tool, part of the SQL Anywhere suite, typically used by organizations managing distributed or remote databases.

The non-GUI monitor component is typically deployed on unattended appliances where it runs without frequent human oversight.

The second critical vulnerability, identified as CVE-2025-42887, has a severity score of 9.9 and affects the SAP Solution Manager, a platform for application lifecycle management.

“Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module,” reads the entry in the National Vulnerability Database.

“This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.”

SAP Solution Manager is a centralized management and monitoring platform for SAP environments, typically used by large enterprises that operate complex networks encompassing ERP, CRM, and analytics solutions.