SAP recently patched 19 security vulnerabilities, prominently featuring a critical flaw in SQL Anywhere Monitor. This issue, identified as CVE-2025-42890, has a CVSS score of 10, indicating the highest severity. The flaw stems from hardcoded credentials within the SQL Anywhere Monitor (Non-GUI), which could allow attackers to execute arbitrary code remotely. The advisory warns that these baked-in credentials expose the system to unauthorized access, posing significant risks to confidentiality, integrity, and availability. In addition to the SQL Anywhere Monitor flaw, SAP addressed another serious vulnerability in SAP Solution Manager, labeled CVE-2025-42887, with a CVSS score of 9.9. This vulnerability arises from inadequate input sanitation, enabling authenticated attackers to inject malicious code when interacting with remote-enabled function modules. The potential impact includes full control over the system, further jeopardizing sensitive data and operational integrity. SAP has also updated a security note from October 2025, focusing on insecure deserialization in SAP NetWeaver AS Java, tracked as CVE-2025-42944. While these vulnerabilities have been patched, it remains uncertain if they were exploited in active attacks before the fixes were released. Experts recommend discontinuing the use of SQL Anywhere Monitor and removing existing monitor database instances as a temporary measure to mitigate risks.