Security experts have warned SAP S/4HANA cloud customers that a critical code injection vulnerability patched by the vendor in August is being exploited in the wild.
The vulnerability, CVE-2025-42957, has a CVSS score of 9.9 and could allow an attacker with low user privileges to take full control of an organization’s SAP system.
“Because SAP S/4HANA is typically a central system of an organization’s financial, supply chain, and operational processes, its compromise can bring significant damage to an organization in literally any vertical,” said Jonathan Stross, SAP security analyst at Pathlock.
“Almost every large enterprise uses SAP S/4HANA—from banking and insurance to manufacturing, energy, healthcare, and the public sector. The threat affects both global multinationals and mid-sized firms, since both depend on S/4HANA to keep their businesses running,” he added.
Read more on SAP threats: Public Exploit Released for Critical SAP NetWeaver Flaw
The vendor warned that successful exploitation would give threat actors admin-level control over a targeted SAP system and a pathway to OS-level interference. That could enable sensitive data theft, credential harvesting, deployment of backdoors, ransomware and operational disruption.
“SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks,” noted an NVD entry on the vulnerability.
“This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.”
According to the Dutch National Cyber Security Center, the flaw, which was fixed by SAP on August 12, has already been exploited in the wild, although there’s no publicly available exploit as yet.
No Workarounds, Patching Essential
No workarounds are available, with patching the only route to mitigating the risk of compromise.
Stross warned that a patching timetable of a month “is no longer feasible” for SAP customers in the face of such critical threats.
“Unfortunately, we continue to see hundreds of organizations that remain unpatched and therefore vulnerable to CVE-2025-42957. This also highlights the challenge enterprises face in keeping up with SAP security updates,” he added.
“Applying a fix in an SAP landscape is not as simple as updating a single system. SAP in large enterprises involves multiple interconnected platforms that are deeply customized. Each patch must be carefully tested, especially as these systems span critical business areas such as finance, HR, procurement, and supply chain.”
