CVE-2025-42957 Overview
CVE-2025-42957 is a code injection vulnerability in SAP S/4HANA. An authenticated attacker with user-level privileges can exploit a function module exposed through Remote Function Call (RFC) to inject arbitrary ABAP code. The flaw bypasses authorization checks that would normally restrict privileged operations. Successful exploitation grants the attacker a persistent backdoor and full control over the affected SAP system. The vulnerability impacts confidentiality, integrity, and availability of business-critical data, including financial records, HR information, and supply chain operations. SAP addressed the issue in the August 2025 Security Patch Day release tracked under SAP Note #3627998.
Critical Impact
Authenticated attackers can inject arbitrary ABAP code through an RFC-exposed function module, bypass authorization checks, and achieve full SAP S/4HANA system compromise.
Affected Products
- SAP S/4HANA (on-premise and private cloud editions) exposing the vulnerable RFC function module
- ABAP application server components reachable through Remote Function Call interfaces
- Connected SAP landscapes that trust the compromised system through RFC destinations
Discovery Timeline
- 2025-08-12 - CVE-2025-42957 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-42957
Vulnerability Analysis
The vulnerability is classified as Code Injection under [CWE-94]. SAP S/4HANA exposes a function module through the RFC interface that accepts attacker-controlled input and processes it as executable ABAP code. The function module fails to enforce required authorization objects before performing privileged operations. An attacker who holds any valid SAP user account can reach the RFC endpoint over the network and trigger the injection path.
Because ABAP runs inside the SAP kernel with broad access to the database and operating system layer, injected code can read or modify any table, create privileged users, execute operating system commands through SAP gateways, and disable logging. The Common Vulnerability Scoring System (CVSS) vector indicates a scope change, reflecting that exploitation moves from the application context to the entire SAP installation. The EPSS score sits at 0.15% with a percentile of 35.2, but the low complexity and high impact warrant priority remediation regardless of statistical exploitation likelihood.
Root Cause
The root cause is missing authorization enforcement inside an RFC-exposed function module combined with unsafe handling of caller-supplied parameters. The function module dynamically constructs or evaluates ABAP statements using input that is not validated or restricted to a safe grammar. Standard authority-check calls that should gate dangerous operations are absent or incorrectly implemented.
Attack Vector
The attack vector is network-based. An attacker authenticates to the SAP system as a low-privileged user, opens an RFC connection to the vulnerable function module, and submits a crafted payload. The payload causes the server to compile and execute attacker-supplied ABAP statements under the privileges of the SAP work process. From that position the attacker can create a SAP_ALL-equivalent user, extract database contents, or pivot into connected systems via trusted RFC destinations. No user interaction is required, and exploitation succeeds in a single request.
No verified public proof-of-concept code is available at the time of publication. Refer to the SAP Note #3627998 for vendor technical details.
Detection Methods for CVE-2025-42957
Indicators of Compromise
- Unexpected RFC calls from low-privileged user accounts to function modules that perform code generation, dynamic program execution, or table maintenance
- Creation of new SAP users with wide profiles such as SAP_ALL or SAP_NEW outside of documented change windows
- New or modified ABAP reports, function modules, or includes authored by service or batch user IDs
- Entries in the Security Audit Log (SM20) showing authorization failures immediately followed by successful privileged actions from the same session
Detection Strategies
- Enable and forward the SAP Security Audit Log, RFC gateway logs, and SM19/SM20 events to a central analytics platform for correlation
- Hunt for RFC traffic targeting the affected function module from user accounts that have no business reason to call it
- Baseline normal RFC callers per function module and alert on first-seen caller-to-module relationships
- Review the USR02, AGR_USERS, and USOBT_C tables for unexpected user, role, and authorization changes
Monitoring Recommendations
- Monitor changes to the ABAP repository through transactions SE38, SE37, and SE80, and alert on transports created outside approved workflows
- Track SAP Gateway and Message Server connections for anomalous external clients
- Correlate authentication events with subsequent privileged ABAP execution to identify lateral movement across connected SAP systems
How to Mitigate CVE-2025-42957
Immediate Actions Required
- Apply the SAP-supplied patch from SAP Note #3627998 on all S/4HANA systems, including non-production tiers reachable from the corporate network
- Restrict RFC access to the vulnerable function module using UCON (Unified Connectivity) allowlists until patching completes
- Review and reduce membership in roles that grant S_RFC authorization on the affected function group
- Rotate credentials for technical and dialog users that may have been used during the exposure window
Patch Information
SAP released the fix as part of the August 2025 Security Patch Day. The corrective note is SAP Note #3627998. Customers should consult the SAP Security Patch Day Announcement for the full list of affected support package levels and kernel patches. Apply the note through the standard SNOTE procedure and validate that the corrected function module rejects unauthorized callers.
Workarounds
- Use UCON to block external RFC access to the affected function module if immediate patching is not possible
- Tighten S_RFC authorizations so only explicitly approved users and interface accounts can invoke the function group
- Restrict network reachability of SAP application servers to trusted administrative segments using firewall rules and SAProuter access control lists
# Example UCON RFC allowlist review (transaction UCONCOCKPIT)
# 1. Run UCONCOCKPIT in evaluation phase
# 2. Identify the vulnerable function module under "RFC Basic Scenario"
# 3. Remove it from the active allowlist until SAP Note #3627998 is applied
# 4. Re-enable only after patch verification and authorization review
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
