A critical flaw in SAP S/4HANA is now under active exploitation, exposing enterprises that have not yet applied the latest security patches. The vulnerability, tracked as CVE-2025-42957 with a CVSS score of 9.9, was discovered by SecurityBridge and disclosed to SAP earlier this year. It represents an ABAP code injection problem in an RFC-exposed function module, allowing low-privileged authenticated users to inject arbitrary code, bypass authorizations, and fully compromise SAP systems.
SAP addressed the flaw in its August 11, 2025 Patch Day release, but researchers warn that many systems remain vulnerable. SecurityBridge confirmed seeing active exploitation in the wild, though incidents appear limited so far. The firm emphasized that due to the open nature of ABAP code, attackers can easily reverse engineer SAP’s patch to recreate an exploit, leaving unpatched deployments dangerously exposed.
Exploitation of CVE-2025-42957 can lead to devastating consequences, including data theft, unauthorized manipulation of financial or operational records, privilege escalation via backdoor account creation, and the deployment of malware or ransomware. Researchers also demonstrated that the flaw can be leveraged to run arbitrary system commands directly on SAP servers, significantly raising the risk of operational disruption.
The scope of impact is wide. Vulnerable products include S/4HANA (Private Cloud and On-Premise) versions S4CORE 102–108, Landscape Transformation DMIS versions 2011_1_700 through 2020, Business One (SLD) version B1_ON_HANA 10.0, and multiple NetWeaver Application Server ABAP (BIC Document) and SEM-BW versions. Given SAP’s critical role in global supply chains, finance, and enterprise operations, the exposure window presents a high-value target for attackers.
While SecurityBridge stresses that mass exploitation has not yet materialized, the confirmed attacks underscore the urgency of patching. Because exploit development is relatively simple in ABAP, widespread attacks are considered a matter of when, not if. Organizations relying on SAP are strongly advised to apply the August 2025 patches immediately, enforce strict access controls, and monitor logs for suspicious activity.
This incident also highlights a recurring issue in enterprise software security: attackers increasingly focus on misconfigurations and slow patch adoption cycles in mission-critical platforms. As SAP environments often underpin financial and operational data, exploitation could have far-reaching impacts beyond IT disruption.
CVE-2025-42957 represents a clear and present danger for enterprises running SAP S/4HANA and related platforms. Administrators who have not yet applied the August 2025 fixes should prioritize patching without delay, while also reviewing system configurations, auditing access rights, and implementing robust monitoring for abnormal activity. Inaction risks not only operational downtime but also financial loss, reputational damage, and regulatory exposure.
