Critical SAP S/4HANA Vulnerability (CVE-2025-42957) Actively Targeted by Threat Actors
September 18th, 2025
Critical
Our Cyber Threat Intelligence Unit has been monitoring CVE-2025-42957, a critical Advanced Business Application Programming (ABAP) code-injection vulnerability in SAP S/4HANA (Private Cloud & On-Premises), actively exploited in the wild. With a CVSS score of 9.9, the vulnerability allows an authenticated, low-privileged SAP user to call a vulnerable RFC module and the S_DMIS authorization to inject ABAP code and escalate to full SAP administrative privileges. SecurityBridge first discovered the vulnerability on June 27, 2025, and patches were released on SAP’s August 2025 Patch Day (SAP Note 3627998) alongside accompanying notes. Exploitation has been confirmed, allowing attackers to gain full control of the SAP environment and access the host operating system.
Technical Details
CVE-ID: CVE-2025-42957
Severity: Critical (CVSS 3.x: 9.9)
Affected Components / Versions: SAP S/4HANA, S4CORE 102–108; related components include DMIS / SLT (if used) via SAP Note 3633838.
Vulnerability Type: Authenticated ABAP code injection via RFC, bypassing authorization checks; low-privileged user required; no user interaction required.
Exploit Prerequisites:
Valid SAP user account with the ability to call a vulnerable RFC function module.
Presence of authorization object S_DMIS with activity 02 (required for the exploit path).
Impact
Exploitation of CVE- 2025-42957 can lead to:
Escalation from low-privilege user to SAP admin (SAP_ALL) rights.
Creation and persistence of hidden administrative/backdoor accounts.
Deletion, insertion, or modification of data in the SAP database.
Exfiltration of sensitive information (e.g., password hashes) and manipulation of organizational processes.
Potential compromise of the underlying host operating system or connected systems if SAP server access is leveraged.
Detection Method
Network Monitoring:
Review system logs for suspicious or outlier RFC calls targeting vulnerable SAP modules.
Monitor RFC traffic for unusual or unauthorized activity that may indicate exploitation.
Use SAP Unified Connectivity (UCON) to restrict RFC usage and log unexpected or unapproved communications.
Endpoint / EDR:
Detect and alert on the creation of new administrator (SAP_ALL) accounts, especially when provisioned outside approved workflows.
Identify hidden or persistent admin accounts that remain active across system reboots.
Application / SAP Logs:
Continuously review SAP logs for evidence of ABAP code injection or execution attempts.
Audit access to sensitive SAP database tables containing password hashes, credential stores, or business-critical records.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Apply SAP Security Note 3627998 immediately, plus Note 3633838 if DMIS/SLT is in scope.
Restrict RFC usage via SAP Unified Connectivity (UCON); allowlist only necessary remote-enabled function modules; disable or block unnecessary ones.
Review and harden authorizations, especially for S_DMIS and related authorization objects. Ensure that low-privileged users do not have excessive exposure.
Monitor logs for the behavioral indicators listed above. Set alerts for new admin users, SAP_ALL grants, ABAP code changes, and anomalous RFC usage.
Conduct ABAP code audits for custom modules; search for missing authority checks or insecure coding practices (e.g., concatenated dynamic code or unvalidated input in ABAP).
Maintain backups, segmentation, and limit lateral movement paths; apply defense-in-depth.
Conclusion
With a CVSS score of 9.9, CVE-2025-42957 presents a serious threat to SAP S/4HANA environments. Its low barrier to entry, only needing a valid SAP user, a vulnerable RFC, and S_DMIS authorization, combined with its high impact (complete SAP compromise and potential access to the host OS), and ease of exploitation (reverse-engineering the patch is relatively simple), makes unpatched systems extremely vulnerable. In the absence of published IOCs, focus should be on configuration, monitoring, patching, and enforcing least privilege. We urge all organizations using affected SAP S/4HANA versions to assume exposure until systems are patched and actively monitored.