Crucial SAP S/4HANA vulnerability now exploited in assaults

A important SAP S/4HANA code injection vulnerability is being leveraged in assaults within the wild to breach uncovered servers, researchers warn.

The flaw, tracked as CVE-2025-42957, is an ABAP code injection downside in an RFC-exposed perform module of SAP S/4HANA, permitting low-privileged authentication customers to inject arbitrary code, bypass authorization, and absolutely take over SAP.

The seller mounted the vulnerability on August 11, 2025, ranking it important (CVSS rating: 9.9).

Nonetheless, a number of programs haven’t utilized the obtainable security updates, and these are actually being focused by hackers who’ve weaponized the bug.

Based on a report by SecurityBridge, CVE-2025-42957 is now underneath lively, albeit restricted, exploitation within the wild.

SecurityBridge acknowledged that it found the vulnerability and reported it responsibly to SAP on June 27, 2025, and even assisted within the growth of a patch.

Nonetheless, because of the openness of the impacted elements and the flexibility to reverse engineer the fixes, it’s trivial for extremely expert, educated risk actors to determine the exploit themselves.

“Whereas widespread exploitation has not but been reported, SecurityBridge has verified precise abuse of this vulnerability,” reads the SecurityBridge report.

“Which means attackers already know easy methods to use it – leaving unpatched SAP programs uncovered.”

“Moreover, reverse engineering the patch to create an exploit is comparatively straightforward for SAP ABAP, because the ABAP code is open to see for everybody.”

The security agency warned that the potential ramifications of CVE-2025-42957 exploitation embody knowledge theft, knowledge manipulation, code injection, privilege escalation via the creation of backdoor accounts, credential theft, and operational disruption via malware, ransomware, or different means.

SecurityBridge created a video demonstrating how the vulnerability may be exploited to run system instructions on SAP servers.

SAP directors who have not utilized the August 2025 Patch Day updates but ought to achieve this as quickly as attainable.

The affected merchandise and variations are:

• S/4HANA (Personal Cloud or On-Premise), variations S4CORE 102, 103, 104, 105, 106, 107, 108
• Panorama Transformation (Evaluation Platform), DMIS variations 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
• Enterprise One (SLD), model B1_ON_HANA 10.0 and SAP-M-BO 10.0
• NetWeaver Utility Server ABAP (BIC Doc), variations S4COREOP 104, 105, 106, 107, 108, SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748

A bulletin containing extra details about the beneficial actions is out there right here, however is simply viewable by SAP prospects with an account.

BleepingComputer contacted SAP and SecurityBridge to ask how CVE-2025-42957 is being exploited, however we’re nonetheless ready for a response.