Overview

• CVE-2025-42957 is an ABAP code‑injection bug in an RFC‑exposed function that bypasses authorization checks, carrying a 9.9 CVSS rating.
• Exploitation requires only a low‑privileged authenticated user, allowing full takeover including creation of SAP_ALL superuser accounts and manipulation of business data.
• SAP issued fixes in its August updates, and admins are urged to patch immediately, monitor for suspicious RFC calls or new admin users, review unexpected ABAP changes, restrict RFCs with UCON, and limit access to S_DMIS activity 02.
• SecurityBridge verified real‑world abuse and released a demonstration, and NCSC NL notes activity remains limited with no public proof‑of‑concept available.
• Affected releases include S/4HANA S4CORE versions 102–108 across on‑premises and Private Cloud, with additional impacted components detailed in SAP customer advisories.