Platform
sap
Component
sap-s-4hana
Fixed in
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
CVE-2025-42957 represents a critical vulnerability within SAP S/4HANA 102. This flaw allows an attacker possessing user privileges to inject arbitrary ABAP code through a function module exposed via RFC, effectively bypassing authorization controls. Successful exploitation can lead to complete system compromise, impacting the confidentiality, integrity, and availability of the system. The vulnerability was published on August 12, 2025, and a patch is required to remediate the risk.
The impact of CVE-2025-42957 is severe. An attacker who successfully exploits this vulnerability gains the ability to execute arbitrary ABAP code within the SAP S/4HANA system. This effectively creates a backdoor, granting them complete control over the system's functionality. They can potentially access sensitive data, modify critical business processes, and even delete or corrupt data. The ability to bypass authorization checks means that even users with limited privileges could potentially escalate their access and compromise the entire system. This vulnerability shares similarities with other code injection flaws that have led to significant data breaches and operational disruptions in enterprise environments.
CVE-2025-42957 is a high-priority vulnerability due to its CRITICAL CVSS score and the potential for complete system compromise. Public proof-of-concept exploits are likely to emerge given the ease of code injection. The vulnerability was disclosed on August 12, 2025. It is reasonable to expect that threat actors will actively target SAP S/4HANA deployments to exploit this flaw. Monitor CISA KEV listings for updates.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-42957 is to upgrade to a patched version of SAP S/4HANA as soon as it becomes available. Until the upgrade can be performed, consider implementing temporary workarounds. Restrict access to the vulnerable RFC function module, limiting it to only authorized users and systems. Implement strict input validation on any data passed to the function module to prevent malicious code injection. Monitor system logs for suspicious activity, particularly attempts to access or execute the vulnerable function module. After applying the upgrade, verify the fix by attempting to trigger the vulnerability using known attack vectors and confirming that the authorization checks are properly enforced.
Apply the security updates and patches provided by SAP for S/4HANA. Refer to SAP Note 3627998 and the SAP Security Patch Day for detailed information on the fix and corrected versions. Ensure that all users have the minimum privileges necessary to perform their tasks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-42957 is a critical vulnerability in SAP S/4HANA 102 that allows attackers with user privileges to inject arbitrary ABAP code via RFC, potentially leading to full system compromise.
If you are running SAP S/4HANA version 102, you are potentially affected by this vulnerability. Immediate action is required to mitigate the risk.
The recommended fix is to upgrade to a patched version of SAP S/4HANA as soon as it becomes available. Until then, implement temporary workarounds like restricting RFC access.
While there is no confirmed widespread exploitation at this time, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted by attackers.
Refer to the official SAP Security Notes and Advisories on the SAP Support Portal for the latest information and guidance regarding CVE-2025-42957.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.