CVE-2025-42957

Name of the Vulnerable Software and Affected Versions SAP S/4HANA versions prior to August 2025

Description SAP S/4HANA contains a critical vulnerability that allows an attacker with user privileges to exploit a flaw in a function module exposed via RFC. This allows the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This effectively functions as a backdoor, potentially leading to full system compromise, impacting confidentiality, integrity, and availability. The vulnerability is actively exploited in the wild, and successful exploitation can grant attackers full system control, enabling actions such as creating superusers, stealing data, and deploying ransomware. The vulnerability is tracked as CVE-2025-42957 and has a CVSS score of 9.9. It affects S/4HANA, DMIS, Business One, and NetWeaver.

Recommendations Apply SAP Security Notes 3627998 and 3633838 immediately.