"SAP issued a patch for the 9.9-rated flaw in August. It is tracked as CVE-2025-42957, and it affects both private cloud and on-premises versions. According to SecurityBridge Threat Research Labs, which originally spotted and disclosed the vulnerability to SAP, the team "verified actual abuse of this vulnerability." It doesn't appear to be widespread (yet), but the consequences of this flaw are especially severe."
"For example, SecurityBridge's team demonstrated in a lab environment how an attacker could create a new SAP superuser account (with SAP_ALL privileges) and directly manipulate critical business data," the researchers said in a Thursday write-up alongside a video demo of the exploit. It's low-complexity to exploit. The bug enables a user to inject arbitrary ABAP code into the system, thus bypassing authorization checks and essentially creating a backdoor that allows full system compromise, data theft, and operational disruption. In other words: it's effectively game over."
A critical code-injection vulnerability in SAP S/4HANA (CVE-2025-42957) enables low-privileged users to inject arbitrary ABAP code and bypass authorization checks. The flaw affects private-cloud and on-premises deployments; it is rated 9.9 and a patch was released in August. Active exploitation and verified abuse have been observed, with demonstrations showing creation of SAP superuser accounts with SAP_ALL privileges and direct manipulation of business data. The exploit is low complexity and can create backdoors for full system compromise, data theft, and operational disruption. Recommended mitigations include applying the August updates, implementing SAP UCON, restricting S_DMIS activity 02, and monitoring for suspicious RFC calls, new admin accounts, and ABAP changes.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]