Patch Now: Critical SAP S/4HANA Bug Actively Exploited
▼ Summary
– A critical code injection vulnerability (CVE-2025-42957) in SAP S/4HANA cloud is being actively exploited in the wild.
– The flaw has a CVSS score of 9.9 and allows attackers with low privileges to gain full system control.
– Exploitation enables admin-level access, OS interference, data theft, backdoor deployment, and operational disruption.
– No workarounds exist, and patching is essential but complex due to interconnected, customized SAP environments.
– Many organizations remain unpatched, highlighting challenges in applying timely security updates for critical systems.
Organizations relying on SAP S/4HANA cloud services are being urged to apply a critical security patch immediately, as a recently identified vulnerability is now under active exploitation. This high-severity flaw, designated as CVE-2025-42957, carries a CVSS score of 9.9 and could permit attackers with minimal user rights to seize complete administrative control over affected SAP environments.
Given that SAP S/4HANA often serves as the backbone for financial, logistical, and operational functions across numerous industries, a successful breach could inflict severe harm on businesses of all sizes. Jonathan Stross, a security analyst at Pathlock, emphasized that the system’s widespread adoption means virtually every major sector, from banking and manufacturing to healthcare and government, faces potential risk.
According to the vendor, exploitation of this vulnerability grants threat actors administrative privileges within the SAP system and may even allow interference at the operating system level. Such access opens the door to data theft, credential harvesting, backdoor installation, ransomware attacks, and significant operational disruption.
A National Vulnerability Database entry explains that the weakness lies in a function module accessible via RFC, where insufficient authorization checks enable the injection of arbitrary ABAP code. This effectively acts as a built-in backdoor, jeopardizing the confidentiality, integrity, and availability of the entire system.
The Dutch National Cyber Security Center has confirmed that active attacks are already occurring, despite the absence of a public exploit. SAP released the necessary patch on August 12, but many organizations have yet to implement it.
There are no available workarounds for this vulnerability, making prompt patching the only viable defense. Stross cautioned that the traditional one-month patching cycle is inadequate for threats of this magnitude. He noted that many companies remain exposed due to the challenges of updating complex, highly customized SAP landscapes that support essential business functions like finance, human resources, and supply chain management.
Each update must be rigorously tested across interconnected systems, a process that often delays critical security improvements.
(Source: Info Security)
