{"id":4679,"date":"2025-09-05T01:25:09","date_gmt":"2025-09-05T01:25:09","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4679"},"modified":"2025-09-05T01:25:09","modified_gmt":"2025-09-05T01:25:09","slug":"alert-exploit-available-to-threat-actors-for-sap-s-4hana-critical-vulnerability","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4679","title":{"rendered":"Alert: Exploit available to threat actors for SAP S\/4HANA critical vulnerability"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

SAP S\/4HANA admins who haven\u2019t already installed a critical August 11 patch could be in trouble: An exploit for the code injection vulnerability is already being exploited in the wild.<\/p>\n

The vulnerability, CVE-2025-42957<\/a> (with a CVSS score of 9.9) allows a low-privileged user to take complete\u00a0control of an SAP system through code injection in SAP\u2019s ABAP programming language.\u00a0All S\/4HANA releases \u2013 both private cloud and on premises \u2013 are vulnerable. SecurityBridge, which on Thursday reported it had discovered the exploit, said successful exploitation gives access to the\u00a0operating system\u00a0and complete access to\u00a0all data in the SAP system.<\/p>\n

If the patch hasn\u2019t been installed yet, it should be immediately.<\/p>\n

\u201cWhile widespread exploitation has not yet been reported,\u201d Germany-based SecurityBridge said in a blog <\/a>on Thursday, it has verified\u00a0actual abuse of this vulnerability. \u201cThat means attackers already know how to use it, leaving unpatched\u00a0SAP\u00a0systems exposed,\u201d the researchers warned.<\/p>\n

Reverse engineering the patch to create an exploit is\u00a0relatively easy\u00a0in the SAP ABAP programming language, the SecurityBridge alert added, since the ABAP code is open for anyone to see.<\/p>\n

It isn\u2019t known how many admins have already installed the patch. \u201cThis vulnerability was rated 9.9; [that\u2019s] pretty high,\u201d Juan Pablo Perez-Etchegoyen<\/a>, CTO of security vendor Onapsis, which regularly reports on SAP vulnerabilities, said in an interview. \u201cThat\u2019s the type of vulnerability that gets attention from organizations. So we believe that a large number of organizations could have applied the patch on Patch Day or soon after.\u201d Although some IT networks may need down time to install SAP patches, he added, \u201cour expectation is the majority of organizations should have implemented those patches\u201d by now.<\/p>\n

Exploit could lead to bad business decisions<\/h2>\n

Because S\/4HANA<\/a> is an enterprise resource planning system that runs on SAP\u2019s in-memory database, exploitation could be catastrophic. In case CSOs and SAP S\/4HANA admins don\u2019t understand the possibilities, SecurityBridge listed a few things that a threat actor exploiting the flaw could do:<\/p>\n

delete and insert data directly in the SAP Database;<\/p>\n

creating SAP users with SAP_ALL;\u00a0\u00a0<\/p>\n

download password hashes;\u00a0\u00a0<\/p>\n

modify business processes.<\/p>\n

\u201cHistorically, it has been difficult to apply patches to these complex systems, and many organizations will require careful (and slow) testing before the patches are deployed in production,\u201d Johannes Ullrich, dean of research at the SANS Institute, told CSO<\/em>.<\/p>\n

\u201cERP systems like SAP are a serious and often underappreciated target. S\/4HANA<\/a> is an in-memory database supporting the SAP ERP system. Compromising it could give an attacker not only access to the data stored in the SAP system, but sometimes, more dangerously, an attacker could modify the data, leading to bad business decisions. These data modification attacks are more stealthy and very difficult to detect and counter.\u201d<\/p>\n

\u201cThis vulnerability could fill in an important gap in an attacker\u2019s arsenal to attack these systems,\u201d he added. \u201cThey will still need some credentials, but they could be low-level credentials they found via some other attack.\u201d<\/p>\n

Platform complexity leads to potential vulnerabilities<\/h2>\n

SAP S\/4HANA is no stranger to vulnerabilities. In April, for example, a cross-site request forgery vulnerability (CVE-2025-31328)<\/a> was discovered in S\/4HANA\u2019s Learning Solution module. In February, an open redirect vulnerability was found in S\/4HANA\u2019s Extended Application (XS) Services Advanced Model (CVE-2025-24868) that allows an unauthenticated attacker to craft a malicious link that redirects an unwitting victim to a malicious website.<\/p>\n

Eric Mehler<\/a>, a German-based CISO who blogs on common security vulnerabilities in S\/4HANA, has written that the complexity of the platform can introduce potential security vulnerabilities, often due to misconfiguration or oversight. These issues include keeping default SAP accounts that still use default passwords and excessive user permissions, allowing unencrypted SAP traffic or traffic with outdated protocols like TLS 1.0, insufficient traffic monitoring and logging, and insecure ABAP programming practices.<\/p>\n

\u201cThreat actors are very active in targeting SAP applications,\u201d Onapsis\u2019 Perez-Etchegoyen said. Last month, a weaponized exploit for a zero day vulnerability in SAP NetWeaver<\/a> (CVE-23025-31324, a missing authentication flaw) was allegedly released by a gang, he noted. \u201cSo it\u2019s more important than ever for organizations to integrate SAP security into their IT security landscape\u201d and apply patches as soon as possible.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

SAP S\/4HANA admins who haven\u2019t already installed a critical August 11 patch could be in trouble: An exploit for the code injection vulnerability is already being exploited in the wild. The vulnerability, CVE-2025-42957 (with a CVSS score of 9.9) allows a low-privileged user to take complete\u00a0control of an SAP system through code injection in SAP\u2019s […]<\/p>\n","protected":false},"author":0,"featured_media":4680,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4679"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4679"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4680"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}