A critical security flaw in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited by attackers, according to research from SecurityBridge.
The vulnerability, which carries a CVSS score of 9.9 out of 10, allows a low-privileged user to execute code injection and gain full control of an SAP system.
Organizations running SAP S/4HANA on-premise or in private cloud environments must apply the vendor’s patch immediately to prevent a complete system takeover.
| CVE Identifier | CVSS Score | Affected Releases |
|---|---|---|
| CVE-2025-42957 | 9.9 | All SAP S/4HANA releases (On-Premise and Private Cloud) |
SecurityBridge’s Threat Research Labs first discovered the flaw during routine security testing and disclosed it to SAP on June 27, 2025.
SAP released a fix as part of its August 2025 Patch Day on August 11. However, SecurityBridge has confirmed that the vulnerability is already used in real-world attacks, meaning unpatched systems remain at high risk.
Exploitation of CVE-2025-42957 requires only a valid SAP user account with access to a vulnerable RFC module and the S_DMIS authorization object with activity 02.
No additional user interaction, such as clicking a malicious link, is needed. Once exploited, an attacker can:
- Execute arbitrary ABAP code on the SAP application layer
- Read, modify, or delete any data in the SAP database
- Create new SAP users with full administrative rights (SAP_ALL)
- Download password hashes for all SAP accounts
- Alter or disable critical business processes
The simplicity of the attack and its network-based nature make this flaw extremely dangerous.
A threat actor could start with basic user credentials obtained via phishing or insider access and rapidly escalate privileges to take over the entire SAP environment.
From there, attackers can tamper with financial records, steal customer data, or deploy ransomware on underlying servers.
SecurityBridge has not observed widespread global campaigns yet, but targeted abuse is confirmed.
Experts warn that reverse-engineering the SAP patch is relatively straightforward because ABAP code is open and visible. This ease of exploit development underscores the urgency of patching.
To mitigate risk, SAP customers should:
- Apply SAP Security Notes 3627998 and 3633838 without delay.
- Review and restrict S_DMIS authorization object usage and limit RFC calls.
- Monitor system logs for unusual RFC requests or new administrative accounts.
- Enforce network segmentation and maintain up-to-date backups.
- Consider deploying SAP UCON to tighten access controls.
Organizations using the SecurityBridge platform can also detect and block exploitation attempts for CVE-2025-42957, gaining visibility into suspicious activity.
This incident highlights the critical importance of timely patching and monitoring within SAP landscapes.
Enterprises must treat this vulnerability as an emergency, prioritizing rapid deployment of updates and strengthening their overall SAP security posture to prevent potential fraud, data loss, or operational disruption.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
