Critical security vulnerabilities affecting SAP S/4HANA, the Enterprise Resource Planning (ERP) software, are subject to active exploitation in the wild.
Tracked Command Injection Vulnerability CVE-2025-42957 (CVSS score: 9.9) was revised by SAP as part of last month’s monthly update.
“SAP S/4HANA allows user privileged attackers to take advantage of vulnerabilities in function modules exposed via RFCs” as described in the NIST National Ulnerability Database (NVD) flaws. “This flaw allows any ABAP code to be injected into the system, allowing essential approval checks to be bypassed.
A successful investigation of the defect can result in a complete system compromise in the SAP environment, which can suppress the confidentiality, integrity and availability of the system. In short, an attacker can modify the SAP database, create a superuser account using SAP_ALL privileges, download a password hash, and modify business processes.
SecurityBridge’s Threat Research Lab, Alerts It said that the issue was observed to have an aggressive exploitation of flaws, published Thursday, stating that the issue would affect both on-premises and private cloud editions.
“Exploitation requires access to only modest users to completely compromise the SAP system,” the company said. “The perfect system compromises with the minimum required effort. Successful exploitation can easily lead to fraud, data theft, spying, or ransomware installation.”
He also said that widespread exploitation has not yet been detected, but threat actors have the knowledge to use it, and that reverse engineering patches to create exploitation is “relatively easy.”
As a result, organizations are advised to apply patches as soon as possible, monitor the logs of suspicious RFC calls or new admin users, and ensure that they have proper segmentation and backups in place.
It also states, “We will consider implementing SAP UCON to restrict the use of RFCs and verify and restrict access to the authentication object S_DMIS activity 02.”
Source link
