SAP S/4HANA vulnerability CVE-2025-42957 actively exploited

A critical security vulnerability affecting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has been actively exploited in the wild. The command injection vulnerability, identified as CVE-2025-42957 with a CVSS score of 9.9, was addressed by SAP in its recent monthly updates. According to the NIST National Vulnerability Database (NVD), this flaw allows an attacker with user privileges to exploit a vulnerability in the function module exposed via Remote Function Call (RFC). This vulnerability enables the injection of arbitrary ABAP code into the system, bypassing essential authorisation checks. Successful exploitation could lead to a complete system compromise, undermining the confidentiality, integrity, and availability of the SAP environment. Attackers could potentially modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter critical business processes.

SecurityBridge Threat Research Labs has reported active exploitation of this flaw, which impacts both on-premise and Private Cloud editions of SAP S/4HANA. The exploitation requires access only to a low-privileged user, making it alarmingly easy for attackers to fully compromise an SAP system. While widespread exploitation has not yet been observed, threat actors are believed to have the knowledge to exploit this vulnerability, and reverse engineering the patch to create an exploit is considered relatively straightforward. Consequently, organisations are urged to apply the patches immediately, monitor logs for suspicious RFC calls or new admin users, and ensure proper segmentation and backups are in place. Implementing SAP UCON to restrict RFC usage and reviewing access to authorisation object S_DMIS activity 02 is also recommended.