A newly disclosed vulnerability in SAP S/4HANA has been rated critical, with security researchers warning that exploitation is already underway.
The flaw, tracked as CVE-2025-42957, carries a CVSS score of 9.9 and affects S/4HANA systems running S4CORE versions 102 through 108, both in private cloud and on-premise deployments.
According to the official CVE record published by SAP SE, the issue stems from a function module exposed via Remote Function Call (RFC) that allows attackers with low-level user privileges to inject arbitrary ABAP code, bypassing authorization checks. In effect, it functions as a backdoor, exposing the confidentiality, integrity, and availability of the system.
Because S/4HANA is the backbone of financial, supply chain, and operational processes for most large enterprises, compromise could lead to far-reaching consequences across industries.
Pathlock Research Lab has confirmed activity consistent with exploitation attempts, noting that a basic SAP account is enough to reach the vulnerable RFC module and escalate privileges.
Opening the Door to Full Control
Successful exploitation grants administrator-level control and opens the door to OS-level actions, the company wrote. It allows an attacker with low user privileges to take full control of an organization’s SAP system.
SAP issued patches on 12 August, under Note 3627998 for S/4HANA and Note 3633838 for SLT/DMIS if present in the environment. There are no vendor workarounds; patching is the only effective mitigation.
Pathlock outlined additional hardening measures:
- Reduce RFC attack surface with UCON and allowlists.
- Tighten authorizations, especially around sensitive RFMs.
- Monitor for callback abuse patterns, such as anomalous use of RFC_PING or unexpected creation of ABAP reports and admin accounts.
- Stream SAP audit logs to SIEM systems to hunt for signs of compromise.
The vulnerability follows a similar S/4HANA code injection bug disclosed in April 2025 (CVE-2025-27429), reinforcing a broader trend of attackers targeting exposed RFC modules.
Pathlock noted its detection and response tools are already identifying exploitation attempts in customer environments and can trigger automated countermeasures, such as policy-driven user lockouts, to contain attacks.
For unpatched organizations, the advice is to patch immediately, validate coverage, and monitor closely.
A “Worrying Trend”
Jonathan Stross, SAP Security Analyst at Pathlock, says: “2025 has been marked by a worrying trend of SAP vulnerabilities being exploited in the wild, with the window between disclosure and large-scale exploitation narrowing dramatically. In the case of CVE-2025-42957, the exploitation activity surged dramatically as the patch was released – attackers quickly picked up the vulnerability and weaponized it more broadly.”
Stross adds that successful exploitation of CVE‑2025‑42957 can grant an attacker administrator‑level control in SAP and provide a path to OS‑level actions. “In practice, attackers can steal sensitive regulated data, create hidden backdoors, harvest credentials, disrupt operations, and even deploy ransomware. This latest vulnerability underscores the growing urgency of applying SAP security updates without delay. A patch timeframe of a month, which is still common in some enterprises, is no longer feasible against this type of threats.”
Unfortunately, he says we continue to see hundreds of organizations that remain unpatched and therefore vulnerable to CVE-2025-42957. This also highlights the challenge enterprises face in keeping up with SAP security updates. Applying a fix in an SAP landscape is not as simple as updating a single system. SAP in large enterprises involves multiple interconnected platforms that are deeply customized. Each patch must be carefully tested, especially as these systems span critical business areas such as finance, HR, procurement, and supply chain.
“Overall, this trend reinforces the need for more active adoption of dedicated SAP security solutions that can streamline patching, accelerate vulnerability management, and reduce the MTTD and MTTR.”
Small Openings Turned to Compromise
Shane Barney, Chief Information Security Officer at Keeper Security, calls this CVE “a textbook example” of why entities should never let untrusted input dictate how their code runs. “Once dynamic code execution is in play, attackers can turn small openings into complete system compromise.”
The right mitigations start with avoiding dynamic code execution altogether or at minimum strictly whitelisting what commands are allowed, Barney adds. “Validate all inputs against allow-lists, not block-lists. Replace risky dynamic execution with libraries or APIs that provide safer parsing and better visibility. Run applications with the minimum OS and database privileges possible, and use sandboxing, containerization or microservices to contain the blast radius if something goes wrong. On top of that, layer defenses with tools like web application firewalls and make sure logging and alerting are in place to flag unexpected execution paths.”
According to him, the real takeaway is that defenders need a deep understanding of how their applications are designed to operate – what they connect to, which ports they use and how they behave at runtime. “Only by comparing that expected state to what’s actually happening can teams catch and contain attacks like this before they spread.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.