A severe security flaw has been discovered in SAP S/4HANA, the widely used Enterprise Resource Planning (ERP) platform. The vulnerability, identified as CVE-2025-42957 with a CVSS score of 9.9, is currently being exploited in real-world attacks.
Vulnerability Details
This is a command injection vulnerability that affects the function module exposed through Remote Function Calls (RFC). According to the NIST National Vulnerability Database (NVD), attackers with regular user-level access can exploit this flaw to inject arbitrary ABAP code into the system, effectively bypassing key authorization checks.
If exploited successfully, the vulnerability could lead to complete system compromise, threatening confidentiality, integrity, and availability. Attackers could:
- Modify the SAP database
- Create superuser accounts with SAP_ALL privileges
- Steal password hashes
- Manipulate critical business processes
Active Exploitation
Researchers at SecurityBridge Threat Research Labs confirmed that the flaw is being actively exploited. Both on-premise and Private Cloud editions of SAP S/4HANA are at risk.
The team warned that only a low-privileged account is required to exploit the flaw, meaning attackers could achieve full system compromise with minimal effort. Successful exploitation could enable fraud, data theft, cyber espionage, or ransomware deployment.
Although widespread exploitation has not yet been observed, experts caution that attackers can reverse engineer SAP’s patch to develop exploits quickly.
Security Recommendations
Organizations are strongly advised to:
- Apply the latest SAP patches without delay
- Monitor logs for unusual RFC activity or creation of new admin accounts
- Ensure network segmentation and secure backups
- Enable SAP UCON to limit RFC usage
- Restrict access to authorization object S_DMIS activity 02
Failure to patch and secure SAP environments could result in significant financial loss, data breaches, and operational disruption.
