H-ISAC TLP White Threat Bulletin: Critical SAP S/4HANA Vulnerability Actively Exploited (CVE-2025-42957) Sept. 9, 2025

Exploitation of the SAP S/4HANA flaw, tracked as CVE-2025-42957, has been disclosed. The vulnerability allows code injection and privilege escalation, potentially giving a low-privileged user full control of the SAP system.

The flaw, originally disclosed and patched in August, has a CVSS score of 9.9, highlighting its criticality. It affects all S/4 HANA releases, including Private Cloud and On-Premise.

An attacker only needs a valid SAP user account with access to a specific vulnerable RFC module and the S_DMIS authorization object. No user interaction, such as clicking a malicious link, is required. This low bar for entry makes the attack particularly dangerous.

Once an attacker gains a foothold, they can execute arbitrary ABAP code, read or modify any data, create new administrative users, steal password hashes, and disrupt critical business processes.

The exploit's simplicity and network-based nature allow a threat actor to quickly escalate basic user credentials obtained through phishing or an insider threat into a full compromise of the entire SAP environment.

View the detailed bulletin below.