Redazione RHC : 8 September 2025 09:49
A critical vulnerability, CVE-2025-42957, has been identified in SAP S/4HANA, which has received a CVSS score of 9.9. The flaw allows a minimally privileged user to perform code injection and effectively take control of the entire system. It was discovered by the SecurityBridge Threat Research Labs team, which also confirmed its exploitation in real-world attacks.
The vulnerability affects all versions of S/4HANA, including Private Cloud and On-Premise. To successfully exploit it, an attacker only needs a low-privileged account, then gains the privileges to execute operating system-level commands, create SAP superusers with SAP_ALL privileges, modify database data and business processes, and steal password hashes.
Therefore, the attack can lead to data theft, financial fraud, espionage, or the installation of ransomware.
SAP released the patches on August 12, 2025, as part of its monthly “Patch Day.” To fix the vulnerability, you must install the updates from note #3627998 and, if you use SLT/DMIS, also from #3633838.
Experts strongly recommend updating immediately, as opening ABAP code facilitates the creation of exploits based on the published patch.
In addition to installing the updates, SAP administrators are advised to restrict RFC usage via SAP UCON, verify access to the S_DMIS authorization object, monitor suspicious RFC calls and new administrators, and ensure network segmentation, backups, and dedicated monitoring are in place.
SecurityBridge emphasizes that attempts have already been recorded exploit the vulnerability, so systems that remain unpatched are truly at risk.
Redazione