Critical SAP S/4HANA Vulnerability Under Active Exploitation: How It Can Fully Compromise Your SAP System
A critical vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is currently being actively exploited, posing a severe threat to organisations using all releases of S/4HANA, whether on-premise or in private clouds. This vulnerability, which has a CVSS score of 9.9 out of 10, allows attackers with low-level user access to gain complete control over affected systems. Discovered by researchers at SecurityBridge Threat Research Labs, it has been confirmed that malicious actors are already leveraging this flaw. Successful exploitation of this ABAP code injection vulnerability grants attackers full administrative privileges, enabling them to access the underlying operating system and compromise all data within the SAP system. The potential consequences include theft of sensitive business information, financial fraud, espionage, and ransomware deployment.
Security experts strongly advise organisations to take immediate action by applying SAP’s security updates released on August 11, 2025, specifically SAP Notes 3627998 and 3633838. They recommend reviewing access to the S_DMIS authorisation object and implementing SAP UCON to limit Remote Function Call (RFC) usage. Additionally, organisations should actively monitor system logs for suspicious RFC calls, the creation of new high-privilege users, or unexpected changes to ABAP code. To further enhance security, it is crucial to ensure robust system segmentation, conduct regular backups, and deploy SAP-specific security monitoring solutions to detect and respond to potential attacks. Unpatched systems remain at immediate risk, as skilled attackers can easily reverse engineer the patch due to the open nature of SAP’s ABAP code.
Categories: Cybersecurity Vulnerability, Exploitation and Threat Mitigation, SAP System Security
Tags: SAP S/4HANA, Vulnerability, CVE-2025-42957, Exploited, ABAP, Administrative Privileges, Security Updates, Phishing, System Compromise, Mitigations