Critical SAP S/4HANA Flaw Exploited for Full System Takeover

A high-severity vulnerability in SAP S/4HANA—tracked as CVE-2025-42957 with a CVSS score of 9.9—is under active exploitation.

The flaw allows a low-privileged user possessing minimal SAP access to perform remote code injection, leading to a complete system takeover.

Organizations running SAP S/4HANA on-premise or in private cloud must apply the August 2025 Patch Day updates immediately to mitigate this critical risk.

Exploitation Path and Attack Impact

SecurityBridge’s Threat Research Labs discovered the vulnerability on June 27, 2025, during routine security testing and responsibly disclosed it to SAP.

The vendor issued fixes on August 11, 2025 (Patch Day), but SecurityBridge has already observed real-world exploitation attempts.

Notably, successful attack chains require only:

1. A valid SAP user account with access to a vulnerable RFC module
2. The S_DMIS authorization object with activity 02

No additional user interaction—such as phishing links or social engineering—is necessary.

Once exploited, the attacker can:

1. Execute arbitrary ABAP code on the SAP application layer
2. Read, modify, or delete any SAP database records
3. Create new administrative users with SAP_ALL privileges
4. Download password hashes for all SAP accounts
5. Disrupt or disable critical business processes
6. Deploy ransomware or tamper with financial and customer data

This network-based exploit allows rapid privilege escalation from basic credentials to full system control, posing an existential threat to enterprise operations and data integrity.

CVE Identifier	CVSS Score	Affected Releases
CVE-2025-42957	9.9	All SAP S/4HANA releases (On-Premise & Private Cloud)

To date, SecurityBridge has not detected a large-scale global campaign, but confirmed targeted attacks underscore the urgency of remediation.

Because ABAP code is open and visible, reverse-engineering the SAP patch is straightforward, enabling threat actors to develop reliable exploits rapidly.

SAP customers must treat CVE-2025-42957 as an emergency.

The following actions should be implemented without delay:

1. Apply SAP Security Notes
   Install Notes 3627998 and 3633838 to patch vulnerable RFC modules.
2. Harden Authorizations
   Review and restrict usage of the S_DMIS object. Limit remote function calls (RFCs) to trusted sources only.
3. Network Segmentation and Access Controls
   Enforce strict segmentation between SAP application servers and general user networks. Deploy SAP UCON to refine access control policies.
4. Continuous Monitoring and Alerting
   Monitor system logs for anomalous RFC request patterns or the creation of unauthorized administrative accounts.
5. Backup and Recovery Preparedness
   Maintain up-to-date, encrypted backups of SAP configurations and databases to ensure swift recovery after an incident.

Organizations using the SecurityBridge platform gain enhanced detection and blocking capabilities for CVE-2025-42957 exploit attempts, offering real-time visibility into suspicious activities.

This incident highlights the paramount importance of timely patching, rigorous authorization management, and proactive monitoring within SAP landscapes.

Enterprises must prioritize these measures to safeguard against potential fraud, data loss, reputational damage, and operational disruption.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Critical SAP S/4HANA Flaw Exploited for Full System Takeover appeared first on Cyber Security News.