SAP S/4HANA Vulnerability Actively Exploited in Attacks
▼ Summary
– A critical SAP S/4HANA code injection vulnerability (CVE-2025-42957) allows low-privileged users to inject arbitrary code and fully take over systems.
– SAP fixed the flaw on August 11, 2025, rating it critical with a CVSS score of 9.9, but many systems remain unpatched and are now being targeted.
– SecurityBridge discovered and reported the vulnerability in June 2025, assisted in patch development, and has verified active, though limited, exploitation in the wild.
– Exploitation risks include data theft, manipulation, privilege escalation, credential theft, and operational disruption through malware or ransomware.
– SAP administrators are urged to apply the August 2025 Patch Day updates immediately to protect affected versions of S/4HANA, Landscape Transformation, Business One, and NetWeaver.
A critical vulnerability within SAP S/4HANA is now being actively exploited, allowing attackers to compromise unprotected servers and execute unauthorized code. Identified as CVE-2025-42957, this flaw enables authenticated users with minimal privileges to inject arbitrary ABAP code, bypass security controls, and gain full administrative control over affected SAP environments.
SAP addressed the issue in its August 2025 security updates, assigning it a severity rating of 9.9 out of 10. Despite the availability of a patch, many organizations have yet to apply the fix, leaving their systems open to targeted attacks. According to cybersecurity firm SecurityBridge, limited but confirmed exploitation is already occurring in the wild.
The vulnerability was originally discovered and responsibly disclosed by SecurityBridge in late June 2025. The firm also assisted SAP in developing a remediation. However, due to the open nature of ABAP code, threat actors with sufficient expertise can reverse-engineer the patch and construct their own exploits with relative ease.
SecurityBridge warns that successful attacks could lead to severe consequences, including data theft, unauthorized code execution, privilege escalation, and full system compromise. Malicious actors may create backdoor accounts, steal credentials, or deploy ransomware, significantly disrupting business operations.
A demonstration video published by SecurityBridge illustrates how attackers can run system commands on vulnerable SAP servers, underscoring the urgency of applying available updates.
Administrators are urged to install the latest patches immediately, especially if their systems are running any of the affected versions.
S/4HANA (Private Cloud or On-Premise): S4CORE 102 through 108SAP has released a detailed security bulletin with further guidance, though access is restricted to customers with valid credentials. As exploitation continues, prompt action remains the most effective defense against potential breaches.
(Source: Bleeping Computer)
