A critical **SAP S/4HANA code injection vulnerability (CVE-2025-42957, CVSS 9.9)** is being actively exploited in the wild, allowing low-privileged attackers to inject arbitrary ABAP code, bypass authorization, and achieve full system takeover. Despite SAP releasing a patch on **August 11, 2025**, unpatched systems remain exposed due to the ease of reverse-engineering the fix. Exploitation enables **data theft, manipulation, privilege escalation (via backdoor accounts), credential theft, and operational disruption**—including potential **ransomware deployment or malware-based outages**. SecurityBridge, which discovered and reported the flaw, confirmed **real-world abuse**, warning that skilled threat actors can weaponize it trivially. The vulnerability affects multiple SAP products, including **S/4HANA (Private Cloud/On-Premise), NetWeaver ABAP, and Business One**, risking **enterprise-wide compromise**. Administrators are urged to apply patches immediately, but delayed updates leave critical infrastructure vulnerable to **full system hijacking, financial fraud, or supply-chain attacks** via compromised SAP servers. The flaw’s severity stems from its ability to **disrupt core business operations, expose sensitive data, and enable follow-on attacks** like ransomware or lateral movement into connected networks.
TPRM report: https://www.rankiteo.com/company/sap
"id": "sap5464254090625",
"linkid": "sap",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'SAP',
'size': 'Large',
'type': 'Enterprise Software Provider'}],
'attack_vector': ['Network',
'RFC-Exposed Function Module',
'ABAP Code Injection'],
'customer_advisories': ['Apply patches immediately',
'Monitor for signs of exploitation',
'Review SAP security configurations'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive Business Data',
'Credentials',
'Potentially PII']},
'date_detected': '2025-06-27',
'date_publicly_disclosed': '2025-08-11',
'description': 'A critical SAP S/4HANA code injection vulnerability '
'(CVE-2025-42957) is being actively exploited in the wild. The '
'flaw, an ABAP code injection issue in an RFC-exposed function '
'module, allows low-privileged authenticated users to inject '
'arbitrary code, bypass authorization, and fully take over SAP '
'systems. SAP released a patch on August 11, 2025, but '
'unpatched systems remain at risk. Exploitation can lead to '
'data theft, manipulation, privilege escalation, credential '
'theft, and operational disruption via malware or ransomware. '
'SecurityBridge, which discovered and reported the '
'vulnerability, confirmed limited but active abuse and warned '
'of the ease of reverse-engineering the patch due to the '
'openness of SAP ABAP code.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['RFC-Exposed Function Module in SAP '
'S/4HANA'],
'high_value_targets': ['SAP S/4HANA Servers',
'Business-Critical Data',
'Credentials']},
'investigation_status': 'Ongoing (Limited exploitation confirmed; SAP and '
'SecurityBridge investigating)',
'lessons_learned': 'Critical vulnerabilities in enterprise software like SAP '
'S/4HANA can be quickly weaponized if patches are delayed. '
'The openness of ABAP code makes reverse-engineering fixes '
'easier for threat actors, emphasizing the need for timely '
'patching and proactive monitoring. RFC-exposed function '
'modules are high-value targets for code injection '
'attacks, requiring strict access controls and regular '
'audits.',
'motivation': ['Data Theft',
'Data Manipulation',
'Privilege Escalation',
'Credential Theft',
'Operational Disruption',
'Potential Financial Gain'],
'post_incident_analysis': {'corrective_actions': ['Mandatory patching for all '
'affected SAP versions',
'Enhanced logging and '
'monitoring for ABAP code '
'execution',
'Access restrictions for '
'RFC function modules',
'Regular vulnerability '
'assessments for SAP '
'environments',
'Collaboration with SAP and '
'SecurityBridge for threat '
'intelligence'],
'root_causes': ['Unpatched SAP systems vulnerable '
'to CVE-2025-42957',
'Insufficient access controls for '
'RFC-exposed function modules',
'Delayed patching despite critical '
'CVSS score (9.9)',
'Ease of reverse-engineering ABAP '
'code fixes']},
'recommendations': ["Immediately apply SAP's August 2025 Patch Day updates "
'for affected products.',
'Conduct a thorough audit of RFC-exposed function modules '
'in SAP environments.',
'Implement least-privilege access controls for SAP users '
'to mitigate code injection risks.',
'Monitor for unusual activity in SAP logs, particularly '
'related to ABAP code execution.',
'Engage with SAP and SecurityBridge for guidance on '
'securing vulnerable systems.',
'Restrict access to SAP customer bulletins and ensure '
'internal teams are aware of critical vulnerabilities.',
'Consider network segmentation to isolate SAP systems '
'from untrusted networks.'],
'references': [{'source': 'SecurityBridge Report on CVE-2025-42957'},
{'source': 'BleepingComputer Article'},
{'source': 'SAP Security Bulletin (August 2025 Patch Day)'}],
'response': {'communication_strategy': ['SAP Customer Bulletin (Restricted '
'Access)',
'SecurityBridge Report',
'Public Advisory via '
'BleepingComputer'],
'containment_measures': ['Apply August 2025 SAP Patch Day '
'Updates'],
'third_party_assistance': ['SecurityBridge (Vulnerability '
'Discovery & Patch Development)']},
'stakeholder_advisories': ['SAP Customers (via restricted bulletin)',
'Enterprise SAP Administrators'],
'title': 'Critical SAP S/4HANA Code Injection Vulnerability (CVE-2025-42957) '
'Exploited in the Wild',
'type': ['Vulnerability Exploitation',
'Code Injection',
'Privilege Escalation',
'Unauthorized Access'],
'vulnerability_exploited': 'CVE-2025-42957 (ABAP Code Injection in SAP '
'S/4HANA)'}