A critical vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild, posing an immediate and severe threat to organizations worldwide. With a CVSS score of high, the flaw affects all versions of S/4HANA, both on-premises and in private cloud deployments. Discovered by Researcher, and patched by SAP on August 11, 2025, this ABAP code injection flaw enables attackers with only low-level user access to escalate privileges and gain complete system control. Since SAP’s ABAP code is open, reverse engineering the fix to weaponize an exploit is straightforward, raising the urgency for organizations to patch without delay.

The exploitation of this vulnerability allows attackers to obtain full administrative privileges, granting unrestricted access to the underlying operating system and sensitive corporate data. The potential impact is alarming: theft of critical business information, financial manipulation, industrial espionage, or the deployment of ransomware. Attackers can manipulate databases directly, insert or delete key records, create new administrator accounts with SAP_ALL privileges, extract password hashes, and even alter core business processes. Such a broad range of malicious activities highlights the destructive potential of this exploit.

What makes CVE-2025-42957 particularly dangerous is its low attack complexity. Threat actors only require access to a low-privileged user account, which can easily be obtained via phishing or credential theft. From there, the exploit can be executed remotely over the network without any user interaction, enabling privilege escalation and complete compromise in a matter of minutes. This ease of exploitation significantly widens the attack surface and makes every unpatched system a viable target for opportunistic and advanced threat actors alike.

To mitigate the risk, experts strongly advise immediate application of SAP’s August 2025 security updates, especially SAP Notes 3627998 and 3633838. Organizations should also restrict access to the S_DMIS authorization object, implement SAP UCON to reduce RFC usage, and actively monitor logs for suspicious activities such as unauthorized RFC calls or the creation of new privileged accounts. Additionally, strengthening defenses through network segmentation, regular system backups, and SAP-specific security monitoring solutions is essential to detect, contain, and respond to potential breaches. Without urgent action, enterprises face an elevated risk of widespread compromise and business disruption.