Attackers are exploiting critical SAP S/4HANA vulnerability (CVE-2025-42957)

A critical vulnerability (CVE-2025-42957) in SAP S/4HANA enterprise resource planning software is being exploited by attackers “to a limited extent”, the Dutch National Cyber Security Center (NCSC NL) has warned on Friday.

Their alert seems to be based on a report by SecurityBridge’s Threat Research Labs, who professedly verified that the exploit for the flaw is being used in the wild.

About CVE-2025-42957

CVE-2025-42957 is a code injection vulnerability affecting SAP S/4HANA’s function module exposed via RFC.

“This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system,” the CVE entry states.

The only roadblock to exploitation is that attackers must be authenticated as a low-privileged user to deploy the exploit – a roadblock that’s not that difficult to overcome.

The vulnerability affects SAP S/4HANA (Private Cloud or On-Premise) containing the followin versions of the core Enterprise Management component S4CORE: 102, 103, 104, 105, 106, 107, and 108.

SAP has released a patch for CVE-2025-42957 and a number of other vulnerabilities on August 12, 2025.

Exploited in the wild

According to NCSC NL, no public proof-of-concept (PoC) code or exploit is available, but SecurityBridge researchers have released a demo of the exploit.

“While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability. That means attackers already know how to use it – leaving unpatched SAP systems exposed,” the researchers noted.

“Additionally, reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone.”

The company advises enterprise admins to apply the provided patch, check for suspicious RFC calls, new admin users, or unexpected ABAP code changes, and harden defenses by implementing segmentation, backups, and SAP-specific monitoring.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!