A major security flaw has been discovered in SAP’s flagship enterprise software, S/4HANA, and attackers are already exploiting it. The bug, tracked as CVE-2025-42957, carries a near-maximum severity rating of 9.9 CVSS, underscoring how dangerous it is for businesses that depend on SAP to run essential functions like finance, supply chain, and HR.
What’s Going Wrong
At the heart of the issue is a weakness in Remote Function Call (RFC) modules, where improper input validation lets attackers inject malicious ABAP code. Once inside, hackers can seize full control of the affected SAP environment—with no user action required.
Researchers note that even low-level user credentials, often stolen through phishing, are enough to launch an attack. Because the exploit is relatively simple to reproduce once the patch is analyzed, the threat of widespread attacks is significant.
Why It Matters
A successful compromise can cripple an organization. Attackers could:
- Steal or alter sensitive business data
- Escalate privileges and create hidden backdoor accounts
- Collect employee and customer credentials
- Deploy ransomware to disrupt operations
Given SAP’s role in running mission-critical systems for multinational corporations, the fallout could be enormous if organizations fail to act quickly.
Systems at Risk
The vulnerability impacts multiple SAP platforms, including:
- SAP S/4HANA (versions 102–108)
- SAP Landscape Transformation (SLT)
- SAP NetWeaver ABAP servers
- SAP Business One on HANA 10.0
SAP issued fixes in its August 2025 Patch Day, with security notes 3627998 and 3633838 providing the necessary updates.
What Companies Should Do Now
Security experts stress that patching is the most effective defense, and it should be prioritized for systems exposed to the internet or supporting critical operations. For organizations unable to apply fixes immediately, interim steps include:
- Limiting access to SAP systems to trusted networks
- Segmenting SAP environments from the broader corporate network
- Monitoring logs for unusual RFC activity or sudden creation of admin accounts
- Enforcing least-privilege rules to reduce the attack surface
Organizations are also advised to review incident response plans specifically for SAP breaches, ensuring backup systems are functional and isolated.
The Bigger Picture
This case highlights a broader trend: enterprise resource planning (ERP) platforms like SAP are now prime targets for both cybercriminals and state-backed hackers. Unlike consumer software, ERP systems often carry vast amounts of business-critical data and are deeply integrated into operations, making them high-value targets.
Cybersecurity specialists warn that waiting for routine patch cycles is no longer viable. With attackers moving fast to exploit new flaws, enterprises must adopt more agile patching strategies and proactive monitoring to stay ahead.