Close Menu
Uncategorized

Critical SAP S/4HANA Vulnerability Under Siege!

Staff WriterBy No Comments4 Mins Read0 Views

Fast Facts

  1. Critical Vulnerability Exploitation: The SAP S/4HANA ERP software is facing active exploitation of a severe code injection vulnerability (CVE-2025-42957), which has a CVSS score of 9.9, allowing low-privileged users to fully compromise targeted systems.

  2. Confirmed Attacks: SecurityBridge confirmed that actual abuse of this vulnerability has occurred, highlighting that unpatched SAP systems are at risk of exploitation, despite widespread attacks not being reported yet.

  3. High Risk for SAP Customers: Attackers can escalate privileges with just one valid user account, enabling them to manipulate or delete data directly and create backdoors for persistent access.

  4. Urgent Mitigation Needed: SAP customers are urged to apply the available patch immediately and should implement measures like SAP’s Unified Connectivity framework to limit risks from potential exploitation.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Critical SAP S/4HANA Vulnerability Under Attack’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

A critical code injection vulnerability in SAP’s S/4HANA ERP software that was first disclosed last month is now under exploitation in the wild.

SAP previously disclosed and patched CVE-2025-42957, which affects both private cloud and on-premise S/4HANA instances. The flaw, which received a 9.9 CVSS score, allows attackers with low-privileged user access to inject SAP’s ABAP code into a system to fully compromise it. The vulnerability was discovered and reported to the software maker by SecurityBridge, an SAP-focused security firm based in Germany.

In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. “While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” the blog post said. “That means attackers already know how to use it – leaving unpatched SAP systems exposed.”

SecurityBridge added that SAP’s patch for CVE-2025-42957 is “relatively easy” to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system.

SecurityBridge wasn’t the only company to flag exploitation activity. Pathlock, a cybersecurity vendor based in Denver, said it “detected outlier activity consistent with exploitation attempts of CVE-2025-42957,” according to a blog post published Friday.

Related:Sitecore Zero-Day Sparks New Round of ViewState Threats

In a statement to media outlets, Jonathan Stross, SAP security analyst at Pathlock, said exploitation activity “surged dramatically” after the patch for CVE-2025-42957 was released.

It’s unclear if the exploit discovered by SecurityBridge is a proof-of-concept. Dark Reading contacted SecurityBridge for comment, but the company did not respond at press time.

High Danger for SAP Customers

Even though an attacker would need a valid user account to exploit CVE-2025-42957, SecurityBridge said the vulnerability was “especially dangerous.”

“The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9),” the blog post said. “In summary, a malicious insider or a threat actor who has gained basic user access (through phishing, for example) could leverage this flaw to escalate into full control of the SAP environment.”

With one user account and a remote function call (RFC) to a vulnerable module, an attacker can gain administrative privileges to the SAP system, according to SecurityBridge. From there, the attacker can begin manipulating or deleting corporate data directly in the SAP database, create additional accounts with admin privileges that act as persistent backdoors, exfiltrate data such as hashed passwords, and cause further damage with control of the host OS.

Related:WordPress Woes Continue Amid ClickFix Attacks, TDS Threats

SecurityBridge urged customers to immediately apply the patch for CVE-2025-42957, which was released in SAP’s August 2025 security updates. To defend against potential exploitation, the company recommended implementing SAP’s Unified Connectivity framework (UCON) to restrict RFC usage, and to monitor logs for suspicious RFC calls and newly created admin accounts.

The exploitation of CVE-2025-42957 follows attacks in the spring on a critical SAP NetWeaver zero-day flaw tracked as CVE-2025-31324. The vulnerability came under subsequent waves of attacks in the weeks following its initial disclosure in late April.

 

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Expand Your Tech Knowledge

Learn how the Internet of Things (IoT) is transforming everyday life.

Explore past and present digital transformations on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.