Critical SAP S/4HANA Vulnerability Actively Exploited, Allowing Full System Takeover

A critical security flaw in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited by attackers, according to research from SecurityBridge.

The vulnerability, which carries a CVSS score of 9.9 out of 10, allows a low-privileged user to execute code injection and gain full control of an SAP system.

Organizations running SAP S/4HANA on-premise or in private cloud environments must apply the vendor’s patch immediately to prevent a complete system takeover.

SecurityBridge’s Threat Research Labs first discovered the flaw during routine security testing and disclosed it to SAP on June 27, 2025.

SAP released a fix as part of its August 2025 Patch Day on August 11. However, SecurityBridge has confirmed that the vulnerability is already used in real-world attacks, meaning unpatched systems remain at high risk.

Exploitation of CVE-2025-42957 requires only a valid SAP user account with access to a vulnerable RFC module and the S_DMIS authorization object with activity 02.

No additional user interaction, such as clicking a malicious link, is needed. Once exploited, an attacker can:

• Execute arbitrary ABAP code on the SAP application layer
• Read, modify, or delete any data in the SAP database
• Create new SAP users with full administrative rights (SAP_ALL)
• Download password hashes for all SAP accounts
• Alter or disable critical business processes

The simplicity of the attack and its network-based nature make this flaw extremely dangerous.

A threat actor could start with basic user credentials obtained via phishing or insider access and rapidly escalate privileges to take over the entire SAP environment.

From there, attackers can tamper with financial records, steal customer data, or deploy ransomware on underlying servers.

SecurityBridge has not observed widespread global campaigns yet, but targeted abuse is confirmed.

Experts warn that reverse-engineering the SAP patch is relatively straightforward because ABAP code is open and visible. This ease of exploit development underscores the urgency of patching.

To mitigate risk, SAP customers should:

1. Apply SAP Security Notes 3627998 and 3633838 without delay.
2. Review and restrict S_DMIS authorization object usage and limit RFC calls.
3. Monitor system logs for unusual RFC requests or new administrative accounts.
4. Enforce network segmentation and maintain up-to-date backups.
5. Consider deploying SAP UCON to tighten access controls.

Organizations using the SecurityBridge platform can also detect and block exploitation attempts for CVE-2025-42957, gaining visibility into suspicious activity.

This incident highlights the critical importance of timely patching and monitoring within SAP landscapes.

Enterprises must treat this vulnerability as an emergency, prioritizing rapid deployment of updates and strengthening their overall SAP security posture to prevent potential fraud, data loss, or operational disruption.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!