CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.

Timeline

  1. 05.09.2025 16:36 πŸ“° 2 articles

    Patch released and active exploitation confirmed

    The vendor released a patch for the vulnerability on August 11, 2025. However, several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge confirmed actual abuse of the vulnerability CVE-2025-42957 in the wild. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Pathlock detected outlier activity consistent with exploitation attempts of CVE-2025-42957. Exploitation activity surged dramatically after the patch for CVE-2025-42957 was released. The affected products and versions include S/4HANA (Private Cloud or On-Premise), Landscape Transformation, Business One, and NetWeaver Application Server ABAP. SecurityBridge created a video demonstrating the exploitation of the vulnerability. Organizations are advised to apply patches immediately and monitor for suspicious activity. SecurityBridge recommended implementing SAP's Unified Connectivity framework (UCON) to restrict RFC usage and monitor logs for suspicious RFC calls and newly created admin accounts.

    Show sources
    Open in new tab
  2. 05.09.2025 13:59 πŸ“° 2 articles

    Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

    SecurityBridge Threat Research Labs observed active exploitation of the command injection vulnerability CVE-2025-42957 in SAP S/4HANA. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and assisted in the development of a patch. The vendor fixed the vulnerability on August 11, 2025, rating it critical (CVSS score: 9.9). The article confirms active exploitation in the wild, although exploitation is currently limited. The potential ramifications of exploitation include data theft, data manipulation, code injection, privilege escalation, credential theft, and operational disruption. The affected products and versions include S/4HANA (Private Cloud or On-Premise), Landscape Transformation, Business One, and NetWeaver Application Server ABAP. SecurityBridge created a video demonstrating the exploitation of the vulnerability. Organizations are advised to apply patches immediately and monitor for suspicious activity.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

Open in new tab

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Open in new tab

Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild

A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.

Open in new tab

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Open in new tab

Cursor AI editor autoruns malicious code in repositories

A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.

Open in new tab