3 min read
An active and critical remote code execution vulnerability, CVE-2025-42957, is being exploited in SAP S/4HANA and related products. The flaw, rated 9.9 CVSS, allows remote attackers to inject malicious ABAP code via the Remote Function Call (RFC) module and gain full control of compromised systems. This represents an enterprise-scale emergency because many major global businesses use S/4HANA for managing core operations like finance, supply chain, and HR.
Key details on S/4HANA Vulnerability
- Vulnerability: ABAP code injection due to improper input validation in an RFC-exposed function module.
- Active Exploitation: The flaw is actively being exploited in the wild, though the full scope of exploitation is not yet confirmed. Security researchers warn that since the ABAP patch can be easily reverse-engineered, exploits can be created by threat actors.
- Attack Vector: Attackers can exploit the vulnerability over the network with minimal effort and low-privileged user credentials, which can be acquired through phishing. No user interaction is required for the exploit to succeed.
- Severe Impact: Successful exploitation can lead to a complete system compromise, giving attackers administrative control over the SAP application and potentially the host operating system.
The potential damage includes:
- Data theft or tampering
- Privilege escalation and creation of backdoor accounts
- Credential harvesting
- Ransomware deployment
Affected Systems:
- SAP S/4HANA (versions 102-108)
- SAP Landscape Transformation (SLT) (Note 3633838)
- SAP NetWeaver ABAP servers
- SAP Business One on HANA 10.0
SAP released security updates for this vulnerability as part of its August 2025 Patch Day. Specifically, security notes 3627998 and 3633838 address this issue.
Immediate Actions and Recommendations
Organizations running affected SAP products must prioritize mitigation steps immediately. Here is what organizations in Pakistan and worldwide can do immediately. Apply the security patches from SAP’s August 2025 Security Patch Day as soon as possible. Prioritize mission-critical and internet-facing systems.
If immediate patching is not possible, restrict access to SAP systems to trusted networks. Network segmentation can help isolate critical SAP instances from other corporate networks. Actively monitor logs for any suspicious RFC activity or the creation of new administrator accounts, as some security vendors have created detection patterns for this vulnerability.
Reaffirm and enforce the principle of least privilege for all SAP users by restricting access to vulnerable function modules. Prepare and update incident response playbooks for a potential SAP breach, including validating backups.
Wider Context of S/4HANA Vulnerability
The exploitation of this vulnerability follows a trend of threat actors, including ransomware gangs and nation-state groups, increasingly targeting enterprise resource planning (ERP) systems like SAP. Unpatched and customized SAP systems are particularly vulnerable. Cybersecurity experts warn that relying solely on routine patching schedules is no longer sufficient due to the rapid exploitation of critical vulnerabilities.
