Particle.news

Download on the App Store

Critical SAP S/4HANA CVE-2025-42957 Now Exploited in the Wild

A low-privilege ABAP code injection enables full takeover, making immediate patching critical.

Overview

  • The Dutch National Cyber Security Center warned of limited in‑the‑wild attacks, and SecurityBridge says it has verified actual abuse of the flaw.
  • The vulnerability resides in an RFC‑exposed function that permits arbitrary ABAP code injection, bypassing authorizations to enable full system compromise including creation of SAP_ALL superusers.
  • Exploitation requires only a low‑privileged authenticated account and is rated CVSS 9.9, affecting both on‑premises and Private Cloud S/4HANA deployments.
  • SAP released fixes in its August 11–12 updates, covering S4CORE versions 102 through 108 and additional components listed in customer bulletins.
  • Administrators are urged to patch immediately, monitor for suspicious RFC calls, unexpected ABAP changes, or new admin accounts, and consider SAP UCON and S_DMIS activity 02 restrictions given the ease of reverse‑engineering and available demo.