An active and critical remote code execution vulnerability, CVE-2025-42957, is being exploited in SAP S/4HANA and related products. The flaw, rated 9.9 CVSS, allows remote attackers to inject malicious ABAP code via the Remote Function Call (RFC) module and gain full control of compromised systems. This represents an enterprise-scale emergency because many major global businesses use S/4HANA for managing core operations like finance, supply chain, and HR.
The potential damage includes:
Affected Systems:
SAP released security updates for this vulnerability as part of its August 2025 Patch Day. Specifically, security notes 3627998 and 3633838 address this issue.
Organizations running affected SAP products must prioritize mitigation steps immediately. Here is what organizations in Pakistan and worldwide can do immediately. Apply the security patches from SAP’s August 2025 Security Patch Day as soon as possible. Prioritize mission-critical and internet-facing systems.
If immediate patching is not possible, restrict access to SAP systems to trusted networks. Network segmentation can help isolate critical SAP instances from other corporate networks. Actively monitor logs for any suspicious RFC activity or the creation of new administrator accounts, as some security vendors have created detection patterns for this vulnerability.
Reaffirm and enforce the principle of least privilege for all SAP users by restricting access to vulnerable function modules. Prepare and update incident response playbooks for a potential SAP breach, including validating backups.
The exploitation of this vulnerability follows a trend of threat actors, including ransomware gangs and nation-state groups, increasingly targeting enterprise resource planning (ERP) systems like SAP. Unpatched and customized SAP systems are particularly vulnerable. Cybersecurity experts warn that relying solely on routine patching schedules is no longer sufficient due to the rapid exploitation of critical vulnerabilities.