Article Details

Critical, make-me-super-user SAP S/4HANA bug under active exploitation. 9.9-rated flaw on the loose, so patch now. A critical code-injection bug in SAP S/4HANA that allows low-privileged attackers to take over your SAP system is being actively exploited, according to security researchers. SAP issued a patch for the 9.9-rated flaw in August. It is tracked as CVE-2025-42957, and it affects both private cloud and on-premises versions. According to SecurityBridge Threat Research Labs, which originally spotted and disclosed the vulnerability to SAP,  the team "verified actual abuse of this vulnerability." It doesn't appear to be widespread (yet), but the consequences of this flaw are especially severe. "For example, SecurityBridge's team demonstrated in a lab environment how an attacker could create a new SAP superuser account (with SAP_ALL privileges) and directly manipulate critical business data," the researchers said in a Thursday write-up alongside a video demo of the exploit. It's low-complexity to exploit. The bug enables a user to inject arbitrary ABAP code into the system, thus bypassing authorization checks and essentially creating a backdoor that allows full system compromise, data theft, and operational disruption. In other words: it's effectively game over. SAP didn't immediately respond to The Register's inquiries about CVE-2025-42957 and the scope of exploitation. We will update this story when we hear back from the vendor. If you're a customer, apply SAP's August security updates immediately. Also, as SecurityBridge suggests: "Consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02" to limit exposure. Watch for suspicious RFC calls, or any new admin-level users being created, along with ABAP code changes, as all of these could indicate you've been pwned.