A critical vulnerability in SAP S/4HANA is being actively exploited in the wild, allowing attackers with low-level user access to gain complete control over affected systems.
The vulnerability, tracked as CVE-2025-42957, carries a CVSS score of 9.9 out of 10, signaling a severe and imminent threat to organizations running all releases of S/4HANA, both on-premise and in private clouds.
The flaw was discovered by researchers at SecurityBridge Threat Research Labs, who have now verified that malicious actors are already using it.
SAP released a patch on August 11, 2025, and experts are urging all customers to apply the security updates immediately.
SAP S/4HANA Vulnerability Actively Exploited
Successful exploitation of this ABAP code injection vulnerability grants an attacker full administrative privileges. This allows them to access the underlying operating system and gain complete control over all data within the SAP system.
The consequences are dire and can include the theft of sensitive business information, financial fraud, espionage, or the deployment of ransomware.
An attacker could delete or insert data directly into the database, create new administrator accounts with SAP_ALL privileges, download password hashes, and modify core business processes with minimal effort.
What makes CVE-2025-42957 particularly dangerous is its low attack complexity. An attacker only needs access to a low-privileged user account, which could be obtained through phishing or other common methods.
From there, they can exploit the flaw over the network without any user interaction, escalating their privileges to achieve a full system compromise.
SecurityBridge, which responsibly disclosed the vulnerability to SAP on June 27, 2025, warns that unpatched systems are exposed to immediate risk.
Because SAP’s ABAP code is open, reverse engineering the patch to create a working exploit is a relatively simple task for skilled attackers.
Mitigations
Security experts have issued clear guidance for organizations to protect themselves:
- Patch Immediately: Apply SAP’s August 2025 security updates, specifically SAP Notes 3627998 and 3633838, without delay.
- Review Access: Restrict access to the S_DMIS authorization object and consider implementing SAP UCON to limit RFC usage.
- Monitor System Logs: Actively watch for suspicious RFC calls, the creation of new high-privilege users, or unexpected changes to ABAP code.
- Harden Defenses: Ensure robust system segmentation, regular backups, and SAP-specific security monitoring solutions are in place to detect and respond to attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
