SAP S/4HANA Under Active Attack: Critical Code Injection Flaw Exploited in the Wild
Share this article
SAP S/4HANA Under Active Attack: Critical Code Injection Flaw Exploited in the Wild
September 5, 2025 — A severe vulnerability in SAP's flagship S/4HANA enterprise software is now being weaponized by attackers, putting unpatched systems at immediate risk of total compromise. Tracked as CVE-2025-42957, this critical flaw (CVSS score: 9.9) enables low-privileged users to inject arbitrary ABAP code via an RFC-exposed function module, bypassing authorization controls and granting full system takeover capabilities. SecurityBridge, which discovered and reported the issue, confirms limited but active exploitation in the wild, signaling urgent action for enterprises reliant on SAP's ecosystem.
How the Vulnerability Unfolds
The flaw resides in core components of SAP S/4HANA, affecting private cloud and on-premise deployments. Attackers exploit it by crafting malicious requests that execute unauthorized code, effectively hijacking servers. SecurityBridge's researchers, who alerted SAP on June 27, 2025, and aided in developing the patch, emphasize the ease of exploitation due to SAP's open ABAP architecture:
"Reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone," SecurityBridge noted. "Attackers already know how to use it – leaving unpatched SAP systems exposed."
This accessibility lowers the barrier for sophisticated threat actors, turning theoretical risks into real-world breaches. Successful attacks could lead to:
- Data theft or manipulation of sensitive enterprise information.
- Privilege escalation through backdoor account creation.
- Credential harvesting and lateral movement across networks.
- Operational paralysis via ransomware or destructive malware.
Patch Lag Fuels the Fire
SAP released fixes during its August 2025 Patch Day, yet countless systems remain vulnerable. The delay in applying updates creates a widening attack surface, with hackers actively scanning for targets. Affected products include:
| Product Line | Vulnerable Versions |
|---|---|
| S/4HANA (On-Premise/Cloud) | S4CORE 102, 103, 104, 105, 106, 107, 108 |
| Landscape Transformation | DMIS 2011_1_700, 710, 730, 731, 752, 2020 |
| Business One (SLD) | B1_ON_HANA 10.0, SAP-M-BO 10.0 |
| NetWeaver ABAP | S4COREOP 104-108, SEM-BW 600-748 |
Why This Matters Beyond SAP Shops
This incident highlights systemic issues in enterprise security: complex patch management cycles and the transparency of business-critical software can turn vulnerabilities into widespread threats. For developers and IT leaders, it underscores the need for:
1. Proactive monitoring of RFC interfaces and ABAP code.
2. Zero-trust architectures to limit damage from compromised low-privilege accounts.
3. Automated patch deployment to shrink vulnerability windows.
SAP administrators must apply the August 2025 updates immediately. Detailed mitigation guidance is available in SAP's bulletin (customer login required). As attackers refine their exploits, every unpatched system becomes a potential entry point for cascading enterprise breaches.
Source: BleepingComputer, with technical insights from SecurityBridge.