Critical SAP S/4HANA Flaw Exposes Systems to Full Compromise

by ddos · September 9, 2025

A critical vulnerability, CVE-2025-42957, has been identified in SAP S/4HANA, carrying a near-maximum CVSS score of 9.9. The flaw enables users with only minimal privileges to execute arbitrary code, effectively granting them full control over the system. It was discovered by the SecurityBridge Threat Research Labs team, which has also confirmed evidence of exploitation in active attacks.

The vulnerability impacts all versions of S/4HANA, including both Private Cloud and On-Premise deployments. To compromise a system, an attacker needs nothing more than a low-privileged account, from which they can escalate to executing operating system–level commands, create SAP superusers with SAP_ALL authorizations, alter database records and business processes, and steal password hashes. The consequences range from data theft, financial fraud, and corporate espionage to the deployment of ransomware.

SAP issued patches on August 12, 2025, as part of its monthly Patch Day. Administrators must apply updates detailed in Note 3627998, and if using SLT/DMIS, also Note 3633838. Experts strongly urge immediate patching, warning that the openness of ABAP code significantly lowers the barrier for attackers to craft exploits once the patch details are public.

Administrators are advised not only to apply the fixes but also to harden their environments: restrict the use of RFC through SAP UCON, review access to the S_DMIS authorization object, monitor for suspicious RFC calls or the sudden appearance of new administrative accounts, and ensure robust network segmentation, reliable backups, and dedicated security monitoring.

According to SecurityBridge, exploitation attempts are already underway, leaving unpatched systems under serious and imminent threat.