Critical SAP S/4HANA Flaw CVE-2025-42957 Under Active Exploitation
A recent security alert has been issued by experts, warning of a critical vulnerability in the SAP S/4HANA software that is currently under active exploitation. The flaw, tracked as CVE-2025-42957 (CVSS score: 9.9), poses a significant threat to organizations using SAP's enterprise resource planning (ERP) suite.
The vulnerability, which allows an attacker with user privileges to inject arbitrary ABAP code into the system, bypasses essential authorization checks and creates a backdoor for full system compromise. This can lead to serious consequences, including the alteration of databases, creation of superuser accounts, and theft of password hashes. In essence, the exploit enables attackers to access and manipulate sensitive data, potentially leading to fraud, data theft, espionage, or even ransomware attacks.
Impact on SAP S/4HANA Releases
The flaw affects all SAP S/4HANA releases, including both Private Cloud and On-Premise versions. This means that any organization using these systems is at risk, regardless of the release version or configuration. The vulnerability can be exploited from a low-privileged account, making it easier for attackers to gain access to sensitive areas of the system.
Vendor Response and Expert Insights
SAP addressed the vulnerability on August 11, 2025, but experts warn that this may not be enough to prevent exploitation. SecurityBridge Threat Research Labs found and confirmed an exploit for this issue, which is currently active in the wild. The researchers recommend that administrators take immediate action to patch their systems and address the flaw.
SecurityBridge experts emphasize that although the flaw has not yet spread widely, it is already being abused by threat actors. They warn that the attack complexity is low, requiring only low-level credentials on the SAP system and no user interaction. The CVSS score of 9.9 reflects the high severity of this vulnerability.
"A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware," reported SecurityBridge. To demonstrate the potential impact of this vulnerability, they have created a demo based on their own research and tooling.
Recommendations for Affected Organizations
Given the high severity of this flaw, affected organizations should take immediate action to address the vulnerability. This includes patching SAP systems as soon as possible, reviewing access controls and authorization mechanisms, and ensuring that all users are aware of the risks associated with this exploit.
"The attacker needs only low-level credentials on the SAP system (any valid user account with permissions to call the vulnerable RFC module and the specific S_DMIS authorization with activity 02), and no user interaction is required," concludes SecurityBridge. "The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9). In summary, a malicious insider or a threat actor who has gained basic user access (through phishing, for example) could leverage this flaw to escalate into full control of the SAP environment."
Follow me on Twitter: @securityaffairs and Facebook and Mastodon