- SAP patches critical S/4HANA flaw which allowed full system takeover
- Attackers can inject ABAP code and bypass authorization using RFC
- Some systems remain unpatched, and confirmed abuse has already occurred
S/4HANA, SAP’s Enterprise Resource Planning (ERP) software suite, was carrying a critical vulnerability which allowed threat actors to fully take over vulnerable endpoints.
The company has now released a patch after security researchers warned about “limited” abuse in the wild.
Researchers from SecurityBridge discovered, and reported, an improper control of generation of code issue that could lead to code injection. An attacker with user privileges could exploit it via RFC, enabling the injection of arbitrary ABAP code and thus bypassing essential authorization checks.
Reverse engineering
According to the NVD, this vulnerability “effectively functions as a backdoor”, potentially leading to “full system compromise”.
It is now tracked as CVE-2025-42957, and was given a severity score of 9.9/10 (critical). It was spotted on June 27, 2025 and fixed on August 11.
But SecurityBridge says that not all users were quick to deploy the patch, making them an active target for threat actors.
"While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability," the researchers said. "That means attackers already know how to use it – leaving unpatched SAP systems exposed."
"Additionally, reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone."
SecurityBridge stressed threat actors could abuse this flaw to steal sensitive files, manipulate data, deploy malware, escalate privileges, steal login credentials, and possibly even drop ransomware. We don’t know which groups are currently abusing this flaw, how, or against whom.
SAP said vulnerable instances include multiple versions of S/4 HANA (private cloud and on-prem), Landscape Transformation, Business One, and NetWeaver Application Server ABAP. A detailed list can be found here. A more detailed bulletin was also published, but it is only available to SAP customers with an active account.
Via BleepingComputer
You might also like
- This critical security flaw is letting SAP users get around authentication
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
