Patch Now |CVE‑2025‑42957| Critical SAP S/4HANA Code Injection Vulnerability

Executive Summary

• The exploit for CVE-2025-42957 exists in the wild. CVE‑2025‑42957 is a critical (9.9) SAP S/4HANA Code Injection Vulnerability allowing an attacker with low user privileges to take full control of an organization’s SAP system.
• All unpatched organizations are at risk. SAP released fixes on August 12, 2025: Note 3627998 for S/4HANA (CVE‑2025‑42957) and, if SLT/DMIS is in scope, Note 3633838 (CVE‑2025‑42950). [4][6]
• Low privileges, high impact. Network‑reachable RFC path enables a basic user to inject ABAP and escalate to full control. [5][8][9]
• No vendor workaround. Patching only can mitigate the threat. [7][8]
• Relevant issues. A similar code‑injection flaw in April 2025 (CVE‑2025‑27429) targeted /SLOAP/GEN_MODULE_REPORT and was fixed via Note 3581961. [10][8]

Why It Matters

Because SAP S/4HANA is typically a central system of an organization’s financial, supply chain, and operational processes, its compromise can bring significant damage to an organization in literally any vertical. Almost every large enterprise uses SAP S/4HANA—from banking and insurance to manufacturing, energy, healthcare, and the public sector. The threat affects both global multinationals and mid-sized firms, since both depend on S/4HANA to keep their businesses running.

Successful exploitation of CVE‑2025‑42957 can grant an attacker administrator‑level control in SAP and provide a path to OS‑level actions. In practice, attackers can steal sensitive regulated data, create hidden backdoors, harvest credentials, disrupt operations and even deploy ransomware. [4][5][8]

Pathlock Research Lab telemetry has detected outlier activity consistent with exploitation attempts of CVE-2025-42957.

Any organization that has not yet applied SAP’s August 2025 security notes is at risk. Unlike some other SAP issues, there are no effective workarounds here: patching is the only way to remediate it. 

Recommended Mitigation Steps

1) Apply SAP patches immediately

– S/4HANA: Note 3627998 (CVE‑2025‑42957). [4][5][9]
– SLT/DMIS: Note 3633838 (CVE‑2025‑42950). [4][6]
– No vendor workaround; patches remove vulnerable code paths. [7][8]

2) Reduce RFC attack surface (UCON & allowlists)

– Enable SAP UCON to allowlist only necessary remote‑enabled function modules (RFMs) and block the rest. [11]
– Harden RFC callbacks: in SM59, use the RFC callback allowlist and set rfc/callback_security_method to a secure level. [12][13]

3) Tighten authorizations

– Review S_RFC permissions on sensitive destinations and RFMs.
– For SLT/DMIS landscapes, scrutinize DMIS‑related authorization objects and avoid unnecessary change activities.

4) Monitor and hunt (before and after patching)

– Focus RFMs: /SLOAE/DEPLOY (Aug 2025) and /SLOAP/GEN_MODULE_REPORT (Apr 2025). [7][8]
– Callback abuse patterns: watch for anomalous RFC_PING usage and unexpected creation of ABAP reports/programs, new admin users, or changes to destinations/trust settings. [12][13]

5) Harden the environment.

– Segment SAP tiers; enforce frequent, verified backups and stream SAP Security Audit Log and other logs to your SIEM.
– Validate patch coverage and detections across all clients/systems.

What makes CVE‑2025‑42957 especially dangerous?

• Minimal prerequisites: a low‑privileged SAP account can reach a vulnerable RFC module and inject ABAP. [5][9]
• Remote, low complexity: Scored 9.9 (critical) with network reachability and no user interaction. [4][5]
• Composable with known TTPs: once arbitrary ABAP executes, attackers can persist, escalate privileges, and manipulate business processes; callback misuse (e.g., via RFC_PING) is a known pattern. [12][13]

Discovery, disclosure, and timeline

• April 8, 2025: SAP patches CVE‑2025‑27429 (S/4HANA) via Note 3581961 (function /SLOAP/GEN_MODULE_REPORT). [10][8]

• August 12, 2025: SAP releases Note 3627998 (CVE‑2025‑42957, S/4HANA) and Note 3633838 (CVE‑2025‑42950, SLT/DMIS). [4][5][6][8]

• Community coverage (incl. German‑language advisories) reiterates that patching removes vulnerable code and names the implicated function modules: /SLOAE/DEPLOY and /SLOAP/GEN_MODULE_REPORT. [7][8]

Containing and patching CVE‑2025‑42957 with Pathlock

Pathlock’s Threat Detection & Response analyzes 70+ SAP log sources with 1,500+ out‑of‑the‑box signatures, integrates with any SIEM, and on average reduces detection and remediation timeframes by up to 80%. When policy allows, automated countermeasures (e.g., user lockout) can be applied to reduce MTTD/MTTR during exploitation attempts. [1][2]

Proactive hardening & patch prioritization: Pathlock Vulnerability Management runs 4,000+ checks, determines applicable notes, and prioritizes the most critical patches for your landscape. [3]

Secure change & code: Code Scanning augments SAP ATC with 150+ security/compliance checks to catch issues pre‑production, and Transport Control continuously monitors and blocks risky transports with 90+ checks—helpful to prevent re‑introducing dangerous objects while rolling out notes 3627998/3633838. [1][3]

Pathlock already detects exploitation of CVE‑2025‑42957 and triggers automatic countermeasures (for example, policy‑driven user lockout), measurably reducing MTTD and MTTR in customer environments.

References

[1] Pathlock — Cybersecurity Application Controls (product brief)

[2] Pathlock — CAC Threat Detection & Response and integrations (product brief)

[3] Pathlock — CAC Vulnerability Management & Code/Transport controls (product brief)

[4] SAP Security Patch Day — August 2025

[5] NVD — CVE‑2025‑42957

[6] NVD — CVE‑2025‑42950

[7] RZ10 — SAP Security Patchday August 2025 (German)

[8] Layer Seven Security — SAP Security Notes, August 2025

[9] CVE Details — CVE‑2025‑42957

[10] CVE Details — CVE‑2025‑27429

[11] SAP — UCON RFC Basic Scenario (Guide)

[12] SAPinsider — Mastering RFC Security with UCON & Authorization Management

[13] ITSITI — RFC callback whitelist security level (rfc/callback_security_method)