A critical vulnerability in SAP S/4HANA is being actively exploited in the wild, allowing attackers with low-level user access to gain complete control over affected systems.
The vulnerability, tracked as CVE-2025-42957, carries a CVSS score of 9.9 out of 10, signaling a severe and imminent threat to organizations running all releases of S/4HANA, both on-premise and in private clouds.
The flaw was discovered by researchers at SecurityBridge Threat Research Labs, who have now verified that malicious actors are already using it.
SAP released a patch on August 11, 2025, and experts are urging all customers to apply the security updates immediately.
Successful exploitation of this ABAP code injection vulnerability grants an attacker full administrative privileges. This allows them to access the underlying operating system and gain complete control over all data within the SAP system.
The consequences are dire and can include the theft of sensitive business information, financial fraud, espionage, or the deployment of ransomware.
An attacker could delete or insert data directly into the database, create new administrator accounts with SAP_ALL privileges, download password hashes, and modify core business processes with minimal effort.
What makes CVE-2025-42957 particularly dangerous is its low attack complexity. An attacker only needs access to a low-privileged user account, which could be obtained through phishing or other common methods.
From there, they can exploit the flaw over the network without any user interaction, escalating their privileges to achieve a full system compromise.
SecurityBridge, which responsibly disclosed the vulnerability to SAP on June 27, 2025, warns that unpatched systems are exposed to immediate risk.
Because SAP’s ABAP code is open, reverse engineering the patch to create a working exploit is a relatively simple task for skilled attackers.
Security experts have issued clear guidance for organizations to protect themselves:
Powered by
