A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn.
The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP.
The vendor fixed the vulnerability on August 11, 2025, rating it critical (CVSS score: 9.9).
However, several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug.
According to a report by SecurityBridge, CVE-2025-42957 is now under active, albeit limited, exploitation in the wild.
SecurityBridge stated that it discovered the vulnerability and reported it responsibly to SAP on June 27, 2025, and even assisted in the development of a patch.
However, due to the openness of the impacted components and the ability to reverse engineer the fixes, it is trivial for highly skilled, knowledgeable threat actors to figure out the exploit themselves.
"While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability," reads the SecurityBridge report.
"That means attackers already know how to use it – leaving unpatched SAP systems exposed."
"Additionally, reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone."
... continue reading