A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn.
The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP.
The vendor fixed the vulnerability on August 11, 2025, rating it critical (CVSS score: 9.9).
However, several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug.
According to a report by SecurityBridge, CVE-2025-42957 is now under active, albeit limited, exploitation in the wild.
SecurityBridge stated that it discovered the vulnerability and reported it responsibly to SAP on June 27, 2025, and even assisted in the development of a patch.
However, due to the openness of the impacted components and the ability to reverse engineer the fixes, it is trivial for highly skilled, knowledgeable threat actors to figure out the exploit themselves.
“While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” reads the SecurityBridge report.
“That means attackers already know how to use it – leaving unpatched SAP systems exposed.”
“Additionally, reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone.”
The security firm warned that the potential ramifications of CVE-2025-42957 exploitation include data theft, data manipulation, code injection, privilege escalation through the creation of backdoor accounts, credential theft, and operational disruption through malware, ransomware, or other means.
SecurityBridge created a video demonstrating how the vulnerability can be exploited to run system commands on SAP servers.
SAP administrators who haven’t applied the August 2025 Patch Day updates yet should do so as soon as possible.
The affected products and versions are:
- S/4HANA (Private Cloud or On-Premise), versions S4CORE 102, 103, 104, 105, 106, 107, 108
- Landscape Transformation (Analysis Platform), DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
- Business One (SLD), version B1_ON_HANA 10.0 and SAP-M-BO 10.0
- NetWeaver Application Server ABAP (BIC Document), versions S4COREOP 104, 105, 106, 107, 108, SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748
A bulletin containing more information about the recommended actions is available here, but is only viewable by SAP customers with an account.
BleepingComputer contacted SAP and SecurityBridge to ask how CVE-2025-42957 is being exploited, but we are still waiting for a response.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
