SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild
Summary
Hide ▲
Show ▼
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.
Timeline
-
05.09.2025 13:59 3 articles · 24d ago
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock observed active exploitation of the command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and assisted in the development of the patch. Pathlock detected outlier activity consistent with exploitation attempts of CVE-2025-42957 and reported a surge in exploitation activity following the patch release. Organizations are advised to apply patches, monitor logs, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.
Show sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
Information Snippets
-
The vulnerability, CVE-2025-42957, has a CVSS score of 9.9.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The flaw allows attackers to inject arbitrary ABAP code into the system, bypassing authorization checks.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
Successful exploitation can lead to full system compromise, including modification of the SAP database, creation of superuser accounts, and alteration of business processes.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The vulnerability impacts both on-premise and Private Cloud editions of SAP S/4HANA.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
Exploitation requires only low-privileged user access to fully compromise an SAP system.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
SecurityBridge Threat Research Labs observed active exploitation of the flaw.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, and implement additional security measures.
First reported: 05.09.2025 13:593 sources, 3 articlesShow sources
- SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild — thehackernews.com — 05.09.2025 13:59
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The vulnerability was discovered and reported by SecurityBridge to SAP on June 27, 2025.
First reported: 05.09.2025 16:362 sources, 2 articlesShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
SecurityBridge assisted in the development of the patch for CVE-2025-42957.
First reported: 05.09.2025 16:362 sources, 2 articlesShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The flaw is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA.
First reported: 05.09.2025 16:362 sources, 2 articlesShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The affected products and versions include S/4HANA (Private Cloud or On-Premise), Landscape Transformation, Business One, and NetWeaver Application Server ABAP.
First reported: 05.09.2025 16:361 source, 1 articleShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
-
The potential ramifications of exploitation include data theft, data manipulation, code injection, privilege escalation, credential theft, and operational disruption.
First reported: 05.09.2025 16:362 sources, 2 articlesShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
SecurityBridge created a video demonstrating the exploitation of the vulnerability to run system commands on SAP servers.
First reported: 05.09.2025 16:361 source, 1 articleShow sources
- Critical SAP S/4HANA vulnerability now exploited in attacks — www.bleepingcomputer.com — 05.09.2025 16:36
-
Pathlock detected outlier activity consistent with exploitation attempts of CVE-2025-42957.
First reported: 05.09.2025 23:111 source, 1 articleShow sources
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
Exploitation activity surged dramatically after the patch for CVE-2025-42957 was released.
First reported: 05.09.2025 23:111 source, 1 articleShow sources
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
The patch for CVE-2025-42957 is relatively easy to reverse engineer, granting attackers access to the operating system and all data in the targeted SAP system.
First reported: 05.09.2025 23:111 source, 1 articleShow sources
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
-
SecurityBridge recommended implementing SAP's Unified Connectivity framework (UCON) to restrict RFC usage and monitor logs for suspicious RFC calls and newly created admin accounts.
First reported: 05.09.2025 23:111 source, 1 articleShow sources
- Critical SAP S/4HANA Vulnerability Under Attack, Patch Now — www.darkreading.com — 05.09.2025 23:11
Similar Happenings
ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection
A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.