SAP S/4HANA Under Active Exploitation via CVE-2025-42957

CVE-2025-42957 is a severe remote code injection issue affecting SAP S/4HANA. This flaw allows attackers with only low-privileged SAP user accounts to execute arbitrary ABAP code remotely, leading to complete system takeover. It has been confirmed as exploited in the wild by both SecurityBridge and Pathlock Research Labs as of September 2025.

Due to SAP S/4HANA’s central role in managing business-critical functions — including finance, HR, supply chain, and operations – this vulnerability poses an existential risk to enterprises across industries.

Severity Level: Critical

Vulnerability Details

• CVE ID: CVE-2025-42957
• CVSS Score: 9.9
• Type: Remote ABAP Code Injection via RFC
• Description: A valid SAP user with basic privileges and access to Remote Function Call (RFC) interfaces can execute ABAP code to escalate privileges, manipulate business data, or access the underlying OS.
• Root Cause: The vulnerability is rooted in insecure handling of ABAP code injection in specific RFC-enabled function modules, such as /SLOAE/DEPLOY and /SLOAP/GEN_MODULE_REPORT. These modules fail to validate untrusted input properly, allowing remote attackers to inject and execute ABAP code through RFC calls. The issue is compounded by weak or misconfigured authorization settings (S_DMIS object with activity 02), making exploitation possible with minimal privileges.
• Affected Products: SAP S/4HANA (Private Cloud or On-Premise) – Version:- S4CORE 102, 103, 104, 105, 106, 107, 108

Exploitation Of The Vulnerability

Confirmed Exploitation in the Wild. Attackers exploit the vulnerable RFC modules by sending crafted ABAP payloads.

If successful, they can:

• Escalate privileges by creating SAP superuser accounts (SAP_ALL)
• Extract SAP password hashes
• Read, modify, or delete sensitive data in the SAP database
• Deploy backdoors or install ransomware on the host OS

No user interaction is required, and the attack can be launched remotely over the network.

Recommendations

1. Apply SAP Security Note 3627998 to patch CVE-2025-42957 on all S/4HANA systems. If SLT/DMIS is used, also apply SAP Note 3633838 (related CVE-2025-42950). Prioritize patching externally exposed or internet-facing SAP systems first.
2. Check exposure:
   • Identify users with RFC access (S_RFC) and remove excessive permissions. Consider implementing SAP UCON to restrict RFC usage.
   • Audit and restrict S_DMIS activity 02 usage (used in exploitation).
3. In SAP transaction SM59:
   • Enforce RFC callback allowlists.
   • Set rfc/callback_security_method to a secure value (>= 2) to prevent unauthorized callbacks.
4. Integrate SAP logs into your SIEM and monitor for:
   • Excessive/unexpected RFC_PING executions
   • New SAP users with SAP_ALL or elevated roles
   • ABAP Changes: Unexpected report generation or program creation
   • Changes to trusted RFC destinations or user context

Source:

• https://pathlock.com/blog/security-alerts/cve-2025-42957-critical-sap-s-4hana-code-injection-vulnerability/
• https://securitybridge.com/blog/critical-sap-s-4hana-code-injection-vulnerability-cve-2025-42957/#elementor-toc__heading-anchor-7
• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.