Critical SAP S/4HANA vulnerability is attacked

Attackers are abusing a critical vulnerability in SAP's ERP system S/4HANA. This allows them to inject malicious code. SAP released an update on the August Patchday that IT managers can use to patch the vulnerability.

IT security researchers from SecurityBridge write in a press release that they have discovered an exploit in the wild. They were also able to verify that malicious actors on the Internet are using the exploit. Therefore, “immediate patching is imperative,” the authors write.

The attacked vulnerability has received the CVE entry CVE-2025-42957 (EUVD-2025-24203, CVSS 9.9, risk “critical”). SAP itself described the impact as a “backdoor with the risk of complete system compromise.” In short, attackers with low privileges in the system can take complete control of it. They can gain these access rights via phishing, for example, and the gap can be abused via the network without any further user interaction.

Abuse is already taking place

Widespread abuse has not yet been reported, the IT researchers write. However, they have been able to verify concrete abuse of the vulnerability. Attackers know how to use the exploit, which exposes unpatched SAP systems. It is also easy to use the SAP patch to create an exploit by means of reverse engineering, as the SAP ABAP code is openly available for anyone to view.

As a countermeasure, the Security Bridge employees recommend applying the security updates from the SAP patch day in August as quickly as possible. Admins should also consider implementing SAP UCON to restrict the use of RFC and limit access to the object “S_DMIS activity 02.” They also recommend monitoring log files and checking for suspicious RFC calls, new admin users, or unexpected ABAP code changes. In general, they recommend hardening the systems by means of segmentation, backups, and SAP-specific monitoring.

(dmk)