Ethical Hacking News
A critical code-injection bug in SAP S/4HANA has been actively exploited by attackers, allowing low-privileged users to gain full control over the system. Users are strongly advised to apply SAP's August security updates immediately to prevent exploitation.
A critical code-injection bug (CVE-2025-42957) has been actively exploited by attackers, allowing low-privileged users to gain full control over SAP S/4HANA. The bug enables arbitrary ABAP code injection, bypassing authorization checks and creating a backdoor for full system compromise. Customers are advised to apply the patch immediately to prevent exploitation. Suspicious RFC calls, new admin-level users, or ABAP code changes may indicate attacker control. Implementing SAP UCON and reviewing authorization object S_DMIS activity 02 can help limit exposure.
SAP S/4HANA users, beware! A critical code-injection bug in the system has been actively exploited by attackers, allowing low-privileged users to gain full control over the SAP system. This vulnerability, tracked as CVE-2025-42957, was first disclosed by SecurityBridge Threat Research Labs, which verified actual abuse of this vulnerability.
The bug enables a user to inject arbitrary ABAP code into the system, bypassing authorization checks and creating a backdoor that allows for full system compromise, data theft, and operational disruption. In other words, it's effectively game over. The low-complexity exploit makes it easy for attackers to manipulate critical business data.
According to SecurityBridge, their team demonstrated in a lab environment how an attacker could create a new SAP superuser account with SAP_ALL privileges and directly manipulate critical business data. This is especially severe because the vulnerability affects both private cloud and on-premises versions of SAP S/4HANA.
SAP issued a patch for this 9.9-rated flaw in August, which customers are strongly advised to apply immediately to prevent exploitation. Security experts recommend watching for suspicious RFC calls or new admin-level users being created, along with ABAP code changes, as these could indicate that an attacker has gained control of the system.
Additionally, implementing SAP UCON to restrict RFC usage and reviewing authorization object S_DMIS activity 02 can help limit exposure to this vulnerability. However, it's essential for SAP S/4HANA customers to take proactive measures to secure their systems.
The fact that this vulnerability is already being actively exploited highlights the importance of keeping up-to-date with SAP security patches and implementing robust security controls. As SecurityBridge notes, "It's low-complexity to exploit" - a stark reminder of the severity of this vulnerability and the need for vigilance in protecting against it.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-SAP-S4HANA-Vulnerability-Under-Active-Exploitation-What-You-Need-to-Know-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/05/critical_sap_s4hana_bug_exploited/
https://www.theregister.com/2025/09/05/critical_sap_s4hana_bug_exploited/
https://www.msn.com/en-us/news/technology/critical-make-me-super-user-sap-s4hana-bug-under-active-exploitation/ar-AA1LY9Lt
https://nvd.nist.gov/vuln/detail/CVE-2025-42957
https://www.cvedetails.com/cve/CVE-2025-42957/
Published: Fri Sep 5 14:03:47 2025 by llama3.2 3B Q4_K_M
