Urgent security alert for SAP users! A critical vulnerability (CVE-2025-42957) allows attackers to take full control of your system. Find out if your SAP S/4HANA is at risk and what steps to take now to mitigate the threat.
A critical security flaw has been found in several SAP products, including SAP S/4HANA, a system used by a wide range of global companies to manage their finances, supply chains, and other key business functions. This vulnerability, tracked as CVE-2025-42957, is considered highly dangerous because it could allow a malicious actor to take complete control of a company’s SAP system.
The Colorado-based identity and access security provider firm, Pathlock Research Lab, has confirmed that the vulnerability is already being actively exploited by hackers. Despite requiring a low-level user account for access, this flaw is easy for an attacker to use, and once inside, they can bypass security checks to inject their own malicious code.
The Dangers of the Vulnerability
The potential damage from this flaw is severe. An attacker who successfully exploits it could gain administrator-level control, allowing them to steal sensitive data, create hidden backdoors, disrupt operations, and even deploy ransomware.
Since SAP S/4HANA is central to so many critical business processes, a compromise could cause significant financial and operational damage to a company. The vulnerability affects SAP S/4HANA (Private Cloud or On-Premise) with the core Enterprise Management component S4CORE versions 102, 103, 104, 105, 106, 107, and 108.
Immediate Action is Required
The Dutch National Cyber Security Center (NCSC-NL) issued a security advisory on September 5, 2025, specifically to address the risks posed by this vulnerability. The advisory, which carries a medium-high priority, confirms that these vulnerabilities have been fixed in various SAP products and that the CVE-2025-42957 flaw is being actively exploited in the wild. The advisory serves as a formal confirmation of the threat and a call to action for organisations to protect themselves.
Also, SAP released patches for the affected systems on August 12, 2025, which are the only way to fully protect against this threat. Organisations using SAP S/4HANA, SAP NetWeaver, or other affected products are strongly urged to apply these security updates immediately. Two specific patches, Note 3627998 for S/4HANA and Note 3633838 for SAP Landscape Transformation, are especially important to install.
For companies that have not yet applied the August 2025 security updates, the risk of a cyberattack is high. Monitoring systems for unusual activity and strengthening security measures are also recommended to help prevent or detect any attempts to exploit this critical vulnerability.
Expert Insight
Shane Barney, Chief Information Security Officer at Keeper Security, shared his expert opinion on the matter, describing the CVE as a “textbook example” of why untrusted input should never be allowed to dictate how code runs. “Once dynamic code execution is in play, attackers can turn small openings into complete system compromise,” Barney said.
He recommended that organisations avoid dynamic code execution or, at a minimum, strictly limit what commands are allowed. He also stressed the importance of having a deep understanding of how applications are designed to operate to effectively detect and contain attacks before they spread.
