A high-risk security flaw in SAP S/4HANA, a widely-used Enterprise Resource Planning (ERP) platform, is now under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-42957, was patched by SAP in its August 2025 security update. However, cybersecurity experts warn that attackers are now leveraging the flaw to compromise vulnerable systems.
The issue is a command injection vulnerability in a remote function call (RFC) interface. It allows attackers with low-level user privileges to inject arbitrary ABAP code, bypassing key authorization checks and potentially leading to complete system takeover.
“Successful exploitation gives the attacker the ability to act with administrative privileges in the SAP system. In practice, this means an attacker could do anything a legitimate SAP administrator could do, and more,” warned SecurityBridge Threat Research Labs.
The exploit reportedly requires minimal privileges and is relatively easy to develop through reverse engineering of the patch. At present, there’s no evidence of widespread attack.
Cybersecurity vendor Pathlock also reported detecting “outlier activity consistent with exploitation attempts of CVE-2025-42957,”noting that any organization that has not yet applied SAP’s August 2025 security notes is at risk and that there are no effective workarounds except for patching the flaw.