Critical SAP S/4HANA vulnerability now exploited in attacks
SAP S/4HANA存在严重代码注入漏洞CVE-2025-42957,允许低权限用户绕过授权并完全接管系统。该漏洞已修复(CVSS评分9.9),但部分未更新系统遭黑客利用。攻击可能导致数据窃取、权限提升及恶意软件攻击。建议立即应用补丁以应对风险。 2025-9-5 13:45:22 Author: www.bleepingcomputer.com(查看原文) 阅读量:5 收藏

SAP

A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn.

The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP.

The vendor fixed the vulnerability on August 11, 2025, rating it critical (CVSS score: 9.9).

However, several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug.

According to a report by SecurityBridge, CVE-2025-42957 is now under active, albeit limited, exploitation in the wild.

SecurityBridge stated that it discovered the vulnerability and reported it responsibly to SAP on June 27, 2025, and even assisted in the development of a patch.

However, due to the openness of the impacted components and the ability to reverse engineer the fixes, it is trivial for highly skilled, knowledgeable threat actors to figure out the exploit themselves.

"While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability," reads the SecurityBridge report.

"That means attackers already know how to use it – leaving unpatched SAP systems exposed."

"Additionally, reverse engineering the patch to create an exploit is relatively easy for SAP ABAP, since the ABAP code is open to see for everyone."

The security firm warned that the potential ramifications of CVE-2025-42957 exploitation include data theft, data manipulation, code injection, privilege escalation through the creation of backdoor accounts, credential theft, and operational disruption through malware, ransomware, or other means.

SecurityBridge created a video demonstrating how the vulnerability can be exploited to run system commands on SAP servers.

SAP administrators who haven't applied the August 2025 Patch Day updates yet should do so as soon as possible.

The affected products and versions are:

  • S/4HANA (Private Cloud or On-Premise), versions S4CORE 102, 103, 104, 105, 106, 107, 108
  • Landscape Transformation (Analysis Platform), DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
  • Business One (SLD), version B1_ON_HANA 10.0 and SAP-M-BO 10.0
  • NetWeaver Application Server ABAP (BIC Document), versions S4COREOP 104, 105, 106, 107, 108, SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748

A bulletin containing more information about the recommended actions is available here, but is only viewable by SAP customers with an account.

BleepingComputer contacted SAP and SecurityBridge to ask how CVE-2025-42957 is being exploited, but we are still waiting for a response.


文章来源: https://www.bleepingcomputer.com/news/security/critical-sap-s-4hana-vulnerability-now-exploited-in-attacks/
如有侵权请联系:admin#unsafe.sh