Executive Summary
In August 2025, a critical code injection vulnerability (CVE-2025-42957) in SAP S/4HANA was exploited in the wild, enabling attackers with even low-privileged user access to inject ABAP code and achieve full compromise of both the SAP environment and the underlying host OS. Publicly disclosed and patched by SAP in its August security updates, the flaw affects both private cloud and on-premise deployments. The exploit requires only a basic user account and a remote function call, after which attackers can manipulate or delete SAP data, create persistent admin backdoors, exfiltrate sensitive data, and control the OS. Exploitation attempts surged following patch publication, with confirmed abuse reported by specialist vendors.
This incident highlights the increasing risk of low-complexity, high-impact ERP vulnerabilities, especially as attackers rapidly weaponize disclosed flaws. It underscores the continued targeting of critical business platforms by threat actors leveraging phishing and privileged escalation, emphasizing the urgent need for swift patching and stronger access controls.
Why This Matters Now
CVE-2025-42957 demonstrates how quickly sophisticated threats can exploit SAP ERP weaknesses after disclosure and patching. Organizations running S/4HANA face immediate risk of business disruption and data breach if unpatched, as attackers can readily escalate low-level access into total compromise. With exploitation confirmed in the wild and reverse engineering of patches trivial, urgent action is necessary.
Attack Path Analysis
The attacker first gained access to a low-privileged SAP user account, likely through phishing or prior compromise. Exploiting the SAP S/4HANA code injection vulnerability (CVE-2025-42957), the attacker quickly escalated to administrative privileges on the SAP system and underlying host OS. Once in control, the adversary was able to move laterally to other systems or SAP modules within the same network segment. The attacker established command and control by creating persistent admin accounts and potentially leveraging covert channels. Sensitive corporate data—like hashed passwords and database records—was exfiltrated. The intruder then manipulated or deleted data, created persistent backdoors, or caused operational outages, leading to business impact.
Kill Chain Progression
Initial Compromise
Description
Attacker obtains valid low-privilege SAP user credentials, potentially via phishing or credential stuffing.
Related CVEs
CVE-2025-42957
CVSS 9.9A critical code injection vulnerability in SAP S/4HANA allows low-privileged users to inject arbitrary ABAP code, leading to full system compromise.
Affected Products:
SAP S/4HANA – All releases (Private Cloud and On-Premise)
Exploit Status:
exploited in the wildCVE-2025-42967
CVSS 9.9A code injection vulnerability in SAP S/4HANA and SAP SCM allows attackers to create new reports with arbitrary code, potentially gaining full control of the affected system.
Affected Products:
SAP S/4HANA – All versions
SAP SCM – All versions
Exploit Status:
no public exploitCVE-2025-42993
CVSS 6.7A missing authorization check in SAP S/4HANA's Enterprise Event Enablement allows attackers to create RFC destinations with arbitrary high-privilege users, leading to code execution under those privileges.
Affected Products:
SAP S/4HANA – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Command and Scripting Interpreter: ABAP
Valid Accounts
Exploitation for Privilege Escalation
Create Account
Exploit Public-Facing Application
OS Credential Dumping: Dumped Credentials
Data Manipulation: Stored Data Manipulation
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Timely Patching of System Components
Control ID: 6.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Program
Control ID: 500.03
DORA – ICT Risk Management and Patch Management
Control ID: Article 9(2)
CISA ZTMM 2.0 – Least Privilege Enforcement
Control ID: Access Management – Identity, Credential, and Access Management (ICAM), Level 2
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
SAP S/4HANA code injection vulnerability (CVE-2025-42957) enables complete ERP system compromise, threatening enterprise software platforms requiring immediate patching and enhanced access controls.
Financial Services
Critical SAP vulnerability allows database manipulation and credential theft, risking financial data integrity and regulatory compliance under PCI and banking security frameworks.
Health Care / Life Sciences
ERP system compromise through code injection threatens patient data confidentiality and HIPAA compliance, enabling unauthorized access to sensitive healthcare information systems.
Manufacturing
SAP S/4HANA exploitation disrupts production planning and supply chain operations, allowing attackers to manipulate critical business data and create persistent backdoors.
Sources
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Nowhttps://www.darkreading.com/vulnerabilities-threats/sap-4hana-vulnerability-under-attackVerified
- Protect Your SAP S/4HANA from Critical Code Injection Vulnerability [CVE-2025-42957]https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/protect-your-sap-s-4hana-from-critical-code-injection-vulnerability-cve/ba-p/14208866Verified
- CVE-2025-42957: SAP Remote Code Executionhttps://securitybridge.com/blog/cve-2025-42957-sap-remote-code-execution/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, egress policy enforcement, and inline threat detection would have restricted unauthorized user access, limited privilege abuse, constrained lateral movement, and detected or blocked malicious exfiltration or data destruction activities within the SAP environment.
Control: Multicloud Visibility & Control
Mitigation: Detection of anomalous logins and unusual access patterns.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection detects and blocks known exploit behaviors.
Control: Zero Trust Segmentation
Mitigation: Blocks unauthorized east-west movement.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous admin creation and outbound behavior are detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data movement to unauthorized destinations is blocked or logged.
Detects and limits destructive actions on internal systems.
Impact at a Glance
Affected Business Functions
- Finance
- Supply Chain Management
- Human Resources
Estimated downtime: 5 days
Estimated loss: $1,000,000
Potential exposure of sensitive financial records, employee personal data, and proprietary business information.
Recommended Actions
Key Takeaways & Next Steps
- • Patch SAP S/4HANA systems immediately to eliminate the CVE-2025-42957 code injection vulnerability.
- • Implement zero trust segmentation and microsegmentation to strictly control SAP workload and user communications.
- • Enforce robust egress security policies and continuous traffic monitoring to detect and block unauthorized outbound data flows.
- • Establish centralized visibility and anomaly detection for user and admin account activity across all SAP and cloud environments.
- • Regularly audit for the creation of new admin accounts and monitor for suspicious RFC or API calls within SAP infrastructure.
