- Sap Patches Critical S/4hana Error that enabled the acquisition of Full System
- Attackers can inject ABAP code and bypass permission using RFC
- Some systems remain unpatched, and confirmed abuse has already taken place
S/4HANA, SAP’s Enterprise Resource Planning (ERP) Software Package, had a critical vulnerability that allowed threat actors to take over vulnerable final points fully.
The company has now released a patch after security researchers warned of “limited” abuse in nature.
Researchers from Securitybridge discovered and reported the incorrect control of the generation of code problem that could lead to code lens. An attacker with user privileges could utilize it via RFC, enabling the injection of arbitrary ABAP code and thus bypassing essential permission.
Reverse technique
According to NVD, this vulnerability acts “efficiently as a back door”, which potentially leads to “full system comprois”.
It is now traced as CVE-2025-42957 and got a severity of 9.9/10 (critical). It was discovered on June 27, 2025 and determined on August 11.
But Securitybridge says not all users were quick to implement the patch, making them an active target for threat players.
“Although widespread use has not yet been reported, Securitybridge has verified actually abuse of this vulnerability,” the researchers said. “This means that attackers already know how to use it -do not leave -SAP systems exposed.”
“In addition, Reverse Engineering Patch to create an utilization is relatively easy for SAP ABAP as the ABAP code is open to see for everyone.”
Securitybridge underlined threat players could abuse this error to steal sensitive files, manipulate data, implement malware, escalate privileges, steal login credentials and possibly even drane ransomware. We do not know which groups are currently abusing this mistake, how or against whom.
SAP said that vulnerable occurrences include several versions of S/4 HANA (Private Sky and On-Prem), Landscape Transformation, Business One and Netweaver Application Server ABAP. A detailed list can be found here. A more detailed bulletin was also published, but it is only available to SAP customers with an active account.
Via Bleeping computer
