Critical SAP S/4HANA code injection vulnerability exploited in the wild
Take action: If you're running SAP S/4HANA, immediately apply the August 2025 Security Patch Day updates. Attackers are actively exploiting this to gain complete system control from low-privileged accounts.
Learn More
SecurityBridge Threat Research Labs is reporting active exploitation of a critical vulnerability in SAP S/4HANA that allows low-privileged attackers to achieve complete system compromise.
The vulnerability is tracked as CVE-2025-42957 (CVSS score 9.9), enables arbitrary ABAP code injection through exposed RFC-enabled function modules, potentially affecting thousands of organizations worldwide that rely on SAP's flagship ERP platform.
SAP released patches as part of the August 2025 Security Patch Day, approximately six weeks after the initial report. Despite availability of patches, SecurityBridge has confirmed that threat actors are actively exploiting this vulnerability in the wild.
The attack vector requires only minimal prerequisites, as threat actors need access to a low-privileged user account with permissions to call the vulnerable RFC module and the specific S_DMIS authorization with activity 02.
According to security researchers, the ease of exploitation is compounded by the transparent nature of ABAP code, which allows attackers to reverse engineer patches and develop exploits relatively easily once security updates are released. This characteristic makes rapid patch deployment even more critical for organizations running affected SAP systems.
