Executive Summary
A newly disclosed and actively exploited vulnerability, CVE-2025-42957, has sent shockwaves through the SAP ecosystem. This critical flaw (CVSS 9.9) affects all SAP S/4HANA instances—both Private Cloud and On-Premise—and enables low-privileged users to execute arbitrary code, potentially resulting in full system compromise. Immediate patching is imperative for all running SAP S/4HANA environments.
What Makes CVE-2025-42957 So Dangerous?
- Scope: Impacts every S/4HANA deployment, regardless of cloud or on-prem control.
- Privilege Requirement: Any low-privileged SAP account with access to call Remote Function Call (RFC) modules and limited S_DMIS authorizations can be used to launch attacks—no admin credentials needed
- Impact: Successful exploitation grants attackers:
- Full access to SAP data and the host operating system
- Ability to delete/add database records, export password hashes, and create admin users
- Power to modify critical business processes and deploy persistent backdoors or ransomware.
- Exploitability: Attack complexity is extremely low, and exploitation can occur over the network. No user interaction is required, which elevates its risk profile.
- Real-World Attacks: Security researchers have confirmed exploitation in actual environments, not just in lab settings—a clear, present, and escalating threat.
Technical Deep Dive
CVE-2025-42957 is categorized as an ABAP code injection flaw (CWE-94, Improper Control of Generation of Code)[2]. The vulnerability arises from insufficient input validation in specific RFC-enabled function modules. When invoked by an authenticated user (with limited access), these modules process attacker-supplied parameters directly into dynamic ABAP constructs, such as INSERT REPORT or GENERATE SUBROUTINE POOL, bypassing standard authorization controls.
Threat Vectors:
- Any user with RFC access (and S_DMIS activity 02) can inject and execute custom code
- Methods include privilege escalation, program modification, and disabling security controls
- The vulnerability’s ease of exploitation means even malicious insiders or attackers with phished credentials can compromise the entire SAP environment
Exploitation and Exposure
- Public Proof-of-Concepts/Exploits: Patch reverse engineering is straightforward for ABAP code, increasing the risk of wider weaponization and automated attack kits.
- Attack Outcomes: Espionage, data theft, business process tampering, and ransomware are all viable outcomes from a successful attack chain.
- Similar Flaws: CVE-2025-42957 closely mirrors the earlier CVE-2025-27429 exploit in attack method—dynamic code injection via exposed RFC modules.
Immediate Actions: Patch, Harden, Monitor
1. Patch Immediately
Apply SAP’s August 2025 Security Notes (3627998 and 3633838, Patch Day August 11–12, 2025) to all affected systems
2. Restrict and Audit RFC Access
- Use SAP UCON to limit RFC usage to necessary modules and users
- Regularly audit S_DMIS activity 02 authorizations; revoke unnecessary permissions
3. Monitor for Indicators of Compromise
- Watch for suspicious RFC calls, creation of new high-privileged users, and unexpected ABAP code changes
- Integrate SAP-specific detection capabilities, as recommended by threat research vendors
4. Strengthen Defenses
- Ensure backup and recovery systems are isolated and uncompromised
- Segment SAP servers from less-trusted zones to prevent lateral movement after initial compromise
- Enable and test SAP-specific SIEM or threat detection integrations
Timeline
- Discovery: June 27, 2025 (thanks to SecurityBridge Threat Research Labs)
- Patch Release: August 11–12, 2025
- Active Exploitation: Confirmed as of September 2025
Conclusion
CVE-2025-42957 stands as one of the most severe SAP vulnerabilities in recent memory. With confirmed in-the-wild exploitation, businesses running SAP S/4HANA must treat this as a top emergency. Patch as quickly as possible and reinforce system monitoring and access controls immediately to avert business-altering compromise.
