A crucial SAP S/4HANA code injection vulnerability is being leveraged in assaults within the wild to breach uncovered servers, researchers warn.
The flaw, tracked as CVE-2025-42957, is an ABAP code injection drawback in an RFC-exposed operate module of SAP S/4HANA, permitting low-privileged authentication customers to inject arbitrary code, bypass authorization, and totally take over SAP.
The seller fastened the vulnerability on August 11, 2025, ranking it crucial (CVSS rating: 9.9).
Nevertheless, a number of programs haven’t utilized the out there safety updates, and these are actually being focused by hackers who’ve weaponized the bug.
In accordance with a report by SecurityBridge, CVE-2025-42957 is now below lively, albeit restricted, exploitation within the wild.
SecurityBridge acknowledged that it found the vulnerability and reported it responsibly to SAP on June 27, 2025, and even assisted within the improvement of a patch.
Nevertheless, as a result of openness of the impacted parts and the power to reverse engineer the fixes, it’s trivial for extremely expert, educated risk actors to determine the exploit themselves.
“Whereas widespread exploitation has not but been reported, SecurityBridge has verified precise abuse of this vulnerability,” reads the SecurityBridge report.
“Meaning attackers already know how one can use it – leaving unpatched SAP programs uncovered.”
“Moreover, reverse engineering the patch to create an exploit is comparatively simple for SAP ABAP, because the ABAP code is open to see for everybody.”
The safety agency warned that the potential ramifications of CVE-2025-42957 exploitation embrace knowledge theft, knowledge manipulation, code injection, privilege escalation by way of the creation of backdoor accounts, credential theft, and operational disruption by way of malware, ransomware, or different means.
SecurityBridge created a video demonstrating how the vulnerability could be exploited to run system instructions on SAP servers.
SAP directors who have not utilized the August 2025 Patch Day updates but ought to accomplish that as quickly as potential.
The affected merchandise and variations are:
- S/4HANA (Personal Cloud or On-Premise), variations S4CORE 102, 103, 104, 105, 106, 107, 108
- Panorama Transformation (Evaluation Platform), DMIS variations 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
- Enterprise One (SLD), model B1_ON_HANA 10.0 and SAP-M-BO 10.0
- NetWeaver Software Server ABAP (BIC Doc), variations S4COREOP 104, 105, 106, 107, 108, SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748
A bulletin containing extra details about the beneficial actions is out there right here, however is simply viewable by SAP clients with an account.
BleepingComputer contacted SAP and SecurityBridge to ask how CVE-2025-42957 is being exploited, however we’re nonetheless ready for a response.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
