Back to KEVs

CVE-2025-42957

Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Basic Information

CVE State
PUBLISHED
Reserved Date
April 16, 2025
Published Date
August 12, 2025
Last Updated
February 26, 2026
Vendor
SAP_SE
Product
SAP S/4HANA (Private Cloud or On-Premise)
Description
SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
poc
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-09-06 16:03:13 UTC) Source

References

https://me.sap.com/notes/3627998 https://url.sap/sapsecuritypatchday

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-09-06 16:03:13 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel