Pierluigi Paganini
September 05, 2025
A critical command injection vulnerability, tracked as CVE-2025-42957 (CVSS score of 9.9), in SAP S/4HANA is under active exploitation.
An attacker can exploit this flaw to fully compromise SAP systems, altering databases, creating superuser accounts, and stealing password hashes.
“SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.” reads the advisory. “This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.”
SAP S/4HANA ERP is SAP’s enterprise resource planning (ERP) suite, designed to help large and mid-sized organizations manage core business processes like finance, supply chain, manufacturing, sales, procurement, and human resources.
The flaw affects all SAP S/4HANA releases (Private Cloud and On-Premise) and can be exploited from a low-privileged account to fully compromise the system.
The vendor addressed the vulnerability on August 11, 2025.
SecurityBridge Threat Research Labs found and confirmed an exploit for this issue that is active in the wild, recommending admins to immediately address the flaw.
“A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.” reported SecurityBridge. “To demonstrate the potential impact of this vulnerability, we have created the attached Demo based on our own research and tooling:”
SecurityBridge experts warn that although not yet widespread, the flaw is already being abused. Unpatched SAP systems are exposed, and exploits are easy to craft by reverse-engineering the ABAP patch.
“The attacker needs only low-level credentials on the SAP system (any valid user account with permissions to call the vulnerable RFC module and the specific S_DMIS authorization with activity 02), and no user interaction is required.” concludes SecurityBridge.
“The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9). In summary, a malicious insider or a threat actor who has gained basic user access (through phishing, for example) could leverage this flaw to escalate into full control of the SAP environment. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SAP S/4HANA)
Malware / September 05, 2025
