A critical security flaw in SAP S/4HANA, a leading Enterprise Resource Planning (ERP) software, is currently being actively exploited. This vulnerability, identified as CVE-2025-42957 with a CVSS score of 9.9, was addressed by SAP in their August 2025 security updates.
The flaw resides in a function module exposed via Remote Function Call (RFC), allowing attackers with user-level privileges to inject arbitrary ABAP code into the system. This bypasses essential authorization checks, potentially leading to a full system compromise. Consequences include unauthorized modification of the SAP database, creation of superuser accounts with SAP_ALL privileges, extraction of password hashes, and disruption of business processes.
SecurityBridge Threat Research Labs has observed active exploitation of this vulnerability, affecting both on-premise and Private Cloud editions of SAP S/4HANA. Exploitation requires only low-privileged user access, making it relatively easy for attackers to fully compromise an SAP system. Such breaches can result in fraud, data theft, espionage, or the deployment of ransomware.
While widespread exploitation has not yet been reported, threat actors are aware of the vulnerability and can reverse-engineer the patch to develop exploits. Organizations are strongly advised to apply the available patches immediately, monitor logs for suspicious RFC calls or new administrative users, and ensure proper network segmentation and backups are in place.
Implementing SAP Unified Connectivity (UCON) to restrict RFC usage and reviewing access to authorization object S_DMIS activity 02 are also recommended measures to mitigate potential risks.
