- PATCHES SAP Critical S/4HANA Foot that allowed the complete acquisition of the system
- Attackers can inject the ABAP code and avoid authorization using RFC
- Some systems remain without patches and there has already been confirmed abuse
S/4hana, the SAP Business Resource Planning Software Suite, carried a critical vulnerability that allowed threat actors to completely assume the vulnerable final points.
The company has published a patch after security investigators warned about “limited” abuse in nature.
Securitybridge researchers discovered and reported inappropriate control of the generation of code problems that could lead to code injection. An attacker with user privileges could exploit it through RFC, allowing the injection of the arbitrary ABAP code and, therefore, avoiding essential authorization verifications.
Inverse Engineering
According to the NVD, this vulnerability “effectively works as a back door”, which can lead to a “complete commitment of the system.”
Now it is traced as CVE-2025-42957, and it was given a gravity score of 9.9/10 (critic). It was seen on June 27, 2025 and set on August 11.
But Securitybridge says that not all users rushed to implement the patch, which makes them an active objective for threat actors.
“While a widespread exploitation has not yet been informed, Securitybridge has verified the real abuse of this vulnerability,” the researchers said. “That means that attackers already know how to use it, leaving SAP systems without exposed patches.”
“In addition, the reverse engineering of the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone.”
Securitybridge stressed the threat actors that could abuse this defect to steal confidential files, manipulate data, implement malware, increase privileges, steal login credentials and possibly even eliminate ransomware. We do not know which groups are currently abusing this defect, how or against whom.
SAP said vulnerable instances include multiple versions of S/4 Hana (Private Cloud and On-Prem), landscape transformation, Business One and Netweaver Application Server ABAP. You can find a detailed list here. A more detailed newsletter was also published, but it is only available for SAP customers with an active account.
Through Bleepingcomputer
