A severe command injection vulnerability, identified as CVE-2025-42957 (CVSS score 9.9), is currently being exploited in SAP S/4HANA, a widely-used Enterprise Resource Planning (ERP) software. This flaw, which was addressed by SAP in its monthly security updates, is particularly dangerous because it allows an attacker with a low-privileged user account to bypass standard authorization checks. By exploiting a vulnerability in a function module exposed via Remote Function Call (RFC), attackers can inject arbitrary ABAP code, effectively granting them significant control over the system. This allows them to subvert the fundamental security pillars of confidentiality, integrity, and availability.
The implications of a successful exploitation are profound. Attackers can gain the ability to completely compromise the SAP environment. This includes the capacity to manipulate the SAP database, create unauthorized superuser accounts with SAP_ALL privileges, exfiltrate sensitive data like password hashes, and fundamentally alter critical business processes. Security experts have observed active exploitation of this flaw in both on-premise and Private Cloud deployments, highlighting the immediate and widespread risk. The low barrier to entry—requiring only minimal user privileges—makes this a highly attractive target for malicious actors.
Security researchers have warned that while widespread exploitation has not yet been reported, the knowledge required to create a working exploit is readily available. Reverse engineering the patch released by SAP is considered “relatively easy,” which means the number of threat actors capable of leveraging this vulnerability is likely to grow. This ease of exploit creation poses a significant risk for organizations that have not yet applied the necessary security patches. It creates a critical window of opportunity for attackers to cause severe damage, which could range from financial fraud and data theft to industrial espionage and the deployment of ransomware.
In light of these threats, organizations using SAP S/4HANA are strongly advised to take immediate action. The top priority is to apply the security patches released by SAP as soon as possible. Following this, it’s crucial to implement a robust monitoring strategy, including actively reviewing logs for suspicious RFC calls or the creation of new administrative user accounts. Additionally, organizations should ensure proper network segmentation is in place to contain potential breaches and maintain up-to-date backups to facilitate rapid recovery. These proactive measures are essential to mitigate the risk and protect critical business operations from compromise.
Beyond immediate patching, security experts recommend several additional mitigation steps. Organizations should consider implementing SAP UCON to restrict the usage of RFC, which can limit the attack surface. Furthermore, it’s critical to review and restrict access to the authorization object S_DMIS with activity 02. These steps help to close potential security gaps and reduce the likelihood of a successful attack. Given the active nature of this threat, a multi-layered security approach combining technical patches, proactive monitoring, and access control is the most effective defense against this critical vulnerability.
Reference:
