SAP S/4HANA admins who haven’t already installed a critical August 11 patch could be in trouble: An exploit for the code injection vulnerability is already being exploited in the wild.
The vulnerability, CVE-2025-42957 (with a CVSS score of 9.9) allows a low-privileged user to take complete control of an SAP system through code injection in SAP’s ABAP programming language. All S/4HANA releases – both private cloud and on premises – are vulnerable. SecurityBridge, which on Thursday reported it had discovered the exploit, said successful exploitation gives access to the operating system and complete access to all data in the SAP system.
If the patch hasn’t been installed yet, it should be immediately.
“While widespread exploitation has not yet been reported,” Germany-based SecurityBridge said in a blog on Thursday, it has verified actual abuse of this vulnerability. “That means attackers already know how to use it, leaving unpatched SAP systems exposed,” the researchers warned.
Reverse engineering the patch to create an exploit is relatively easy in the SAP ABAP programming language, the SecurityBridge alert added, since the ABAP code is open for anyone to see.
It isn’t known how many admins have already installed the patch. “This vulnerability was rated 9.9; [that’s] pretty high,” Juan Pablo Perez-Etchegoyen, CTO of security vendor Onapsis, which regularly reports on SAP vulnerabilities, said in an interview. “That’s the type of vulnerability that gets attention from organizations. So we believe that a large number of organizations could have applied the patch on Patch Day or soon after.” Although some IT networks may need down time to install SAP patches, he added, “our expectation is the majority of organizations should have implemented those patches” by now.
Exploit could lead to bad business decisions
Because S/4HANA is an enterprise resource planning system that runs on SAP’s in-memory database, exploitation could be catastrophic. In case CSOs and SAP S/4HANA admins don’t understand the possibilities, SecurityBridge listed a few things that a threat actor exploiting the flaw could do:
delete and insert data directly in the SAP Database;
creating SAP users with SAP_ALL;
download password hashes;
modify business processes.
“Historically, it has been difficult to apply patches to these complex systems, and many organizations will require careful (and slow) testing before the patches are deployed in production,” Johannes Ullrich, dean of research at the SANS Institute, told CSO.
“ERP systems like SAP are a serious and often underappreciated target. S/4HANA is an in-memory database supporting the SAP ERP system. Compromising it could give an attacker not only access to the data stored in the SAP system, but sometimes, more dangerously, an attacker could modify the data, leading to bad business decisions. These data modification attacks are more stealthy and very difficult to detect and counter.”
“This vulnerability could fill in an important gap in an attacker’s arsenal to attack these systems,” he added. “They will still need some credentials, but they could be low-level credentials they found via some other attack.”
Platform complexity leads to potential vulnerabilities
SAP S/4HANA is no stranger to vulnerabilities. In April, for example, a cross-site request forgery vulnerability (CVE-2025-31328) was discovered in S/4HANA’s Learning Solution module. In February, an open redirect vulnerability was found in S/4HANA’s Extended Application (XS) Services Advanced Model (CVE-2025-24868) that allows an unauthenticated attacker to craft a malicious link that redirects an unwitting victim to a malicious website.
Eric Mehler, a German-based CISO who blogs on common security vulnerabilities in S/4HANA, has written that the complexity of the platform can introduce potential security vulnerabilities, often due to misconfiguration or oversight. These issues include keeping default SAP accounts that still use default passwords and excessive user permissions, allowing unencrypted SAP traffic or traffic with outdated protocols like TLS 1.0, insufficient traffic monitoring and logging, and insecure ABAP programming practices.
“Threat actors are very active in targeting SAP applications,” Onapsis’ Perez-Etchegoyen said. Last month, a weaponized exploit for a zero day vulnerability in SAP NetWeaver (CVE-23025-31324, a missing authentication flaw) was allegedly released by a gang, he noted. “So it’s more important than ever for organizations to integrate SAP security into their IT security landscape” and apply patches as soon as possible.
No Responses