CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-42890

CVSS 10.0v3.1pub. 2025-11-11upd. 2026-04-15

SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.

🤖 AI Analysis
How it works

Credentials (such as passwords or access keys) have been permanently embedded in the SQL Anywhere Monitor (Non-GUI) application code instead of being stored in a secure, configurable manner. An attacker who gains access to these credentials — for example, through analysis of binary files or source code — can authenticate to protected system resources or functions without the administrator's knowledge. As a result, arbitrary code execution on the vulnerable system is possible.

Impact

An attacker can gain full, unauthorized access to system resources and functions, resulting in high impact on confidentiality, integrity, and availability — including the ability to execute arbitrary code (RCE) on the vulnerable instance.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with the references — SAP Note No. 3666261 (https://me.sap.com/notes/3666261) and official SAP Security Patch Day page (https://url.sap/sapsecuritypatchday). Priority implementation of updates is recommended due to the critical severity level of the vulnerability.

Who is affected

SAP SQL Anywhere Monitor (Non-GUI version); detailed version information available in SAP Note No. 3666261 and on the SAP Security Patch Day page.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References