Detections
Analytics

CVE-2025-42957

critical

Description

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

References

https://www.bleepingcomputer.com/news/security/sap-fixes-maximum-severity-netweaver-command-execution-flaw/

https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html

https://arstechnica.com/security/2025/09/as-hackers-exploit-one-high-severity-sap-flaw-company-warns-of-3-more/

https://www.infosecurity-magazine.com/news/sap-s4hana-patch-critical/

https://hackread.com/hackers-exploit-cve-2025-42957-sap-vulnerability/

https://www.theregister.com/2025/09/05/critical_sap_s4hana_bug_exploited/

https://www.securityweek.com/recent-sap-s-4hana-vulnerability-exploited-in-attacks/

https://www.helpnetsecurity.com/2025/09/05/attackers-are-exploiting-critical-sap-s-4hana-vulnerability-cve-2025-42957/

https://www.darkreading.com/vulnerabilities-threats/sap-4hana-vulnerability-under-attack

https://www.bleepingcomputer.com/news/security/critical-sap-s-4hana-vulnerability-now-exploited-in-attacks/

https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html

https://securityaffairs.com/181930/hacking/critical-sap-s-4hana-flaw-cve-2025-42957-under-active-exploitation.html

https://securityaffairs.com/181085/uncategorized/sap-fixed-26-flaws-in-august-2025-update-including-4-critical.html

https://www.securityweek.com/sap-patches-critical-s-4hana-vulnerability/

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3627998

Details

Source: Mitre, NVD

Published: 2025-08-12

Updated: 2025-08-12

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00047

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest