Emerging Security Threat in SAP S/4HANA
A significant security vulnerability affecting SAP S/4HANA, a leading Enterprise Resource Planning (ERP) software, has recently come to light. This particular flaw, identified as CVE-2025-42957, has been found to be actively exploited in the wild. With a severe CVSS score of 9.9, this command injection vulnerability poses a critical risk for organizations utilizing the software.
Details of the Vulnerability
SAP has addressed this vulnerability in their monthly updates. According to the NIST National Vulnerability Database (NVD), the issue allows attackers with user privileges to exploit a vulnerability present in a specific function module exposed via RFC (Remote Function Call). This can enable the injection of arbitrary ABAP code into the system and bypass essential authorization checks, compromising the security of the entire system.
Potential Impacts of the Exploit
Successful exploitation of CVE-2025-42957 can lead to a full system compromise, threatening the confidentiality, integrity, and availability of the SAP environment. Attackers can gain the ability to manipulate the SAP database, create superuser accounts with SAP_ALL privileges, extract password hashes, and even modify critical business processes. The implications are vast, as organizations could face severe operational disruptions and financial losses.
Active Exploitation Observed
On Thursday, SecurityBridge Threat Research Labs released an alert indicating that they have observed active exploitation of the vulnerability. This issue impacts both on-premise and Private Cloud editions of SAP S/4HANA. According to the report, the exploitation of this flaw only requires access to a low-privileged user account, meaning a complete compromise can be achieved with minimal effort. This vulnerability opens the door to potential fraud, data theft, espionage, or even ransomware installation.
Immediate Action Required
While there have been no widespread attacks reported yet, the potential for malicious exploitation exists. SecurityBridge cautions that threat actors are already equipped with the knowledge to exploit the vulnerability, and reverse-engineering the patch for this flaw is a relatively straightforward task. Accordingly, organizations are urged to implement the latest patches promptly, monitor logs for any suspicious RFC calls or unauthorized admin users, and ensure proper segmentation and backup processes are in place.
Recommended Best Practices
To mitigate risks associated with this vulnerability, organizations should consider implementing SAP UCON to restrict RFC usage. Additionally, it is advisable to review and restrict access to authorization object S_DMIS activity 02 in order to enhance security measures.
Industry Response
In a related development, cybersecurity vendor Pathlock reported detecting unusual activity that aligns with attempts to exploit CVE-2025-42957. Pathlock warns that any organization that has not yet applied SAP’s August 2025 security notes is exposed to potential threats.
