- SAP Patches Critical S / 4hana Flaw which allowed a complete control of the system
- The attackers can inject the ABAP code and the bypass authorization using RFC
- Some systems remain unlike and confirmed abuses have already taken place
S / 4hana, SAP Enterprise Resource Planning (ERP) Software Suite, wore a critical vulnerability that allowed threat actors to fully take vulnerable parameters.
The company has now published a patch after safety researchers warned of “limited” abuses in the wild.
Securitybridge researchers have discovered and reported poor control of the code generation problem that could lead to code injection. An attacker with user privileges could use it via RFC, allowing the injection of arbitrary abap code and thus bypassing the essential authorization checks.
Reverse engineering
According to the NVD, this vulnerability “works effectively as a stolen door”, potentially leading to a “complete compromise of the system”.
It is now followed as CVE-2025-42957 and has received a gravity score of 9.9 / 10 (critic). It was spotted on June 27, 2025 and set on August 11.
But Securitybridge says that not all users quickly deployed the fix, making it an active target for threat actors.
“Although the widespread exploitation has not yet been reported, Securitybridge has verified the real abuses of this vulnerability,” said the researchers. “This means that attackers already know how to use it – leave undersenged SAP systems exposed.”
“In addition, the opposite engineering of the patch to create a feat is relatively easy for SAP Abap, because the ABAP code is open to see for everyone.”
Securitybridge stressed that threat actors could abuse this flaw to steal sensitive files, manipulate data, deploy malware, degenerate privileges, steal connection identification information and perhaps even delete ransomware. We do not know which groups are currently abusing this flaw, how or against whom.
SAP said vulnerable bodies include several versions of S / 4 HANA (Private Cloud and Over-Prémyle), landscape transformation, Business One and NetweAver Application Server Abap. A detailed list can be found here. A more detailed bulletin has also been published, but it is only available for SAP customers with an active account.
Via Bleeping Compompute
