A recently patched SAP S/4HANA vulnerability tracked as CVE-2025-42957 is being exploited in the wild, SAP security solutions provider SecurityBridge warned on Thursday.
The vulnerability was fixed by SAP in its enterprise resource planning (ERP) software in August, after being responsibly disclosed to the vendor by SecurityBridge in late June.
CVE-2025-42957 has been assigned a ‘critical’ severity rating and it can allow an attacker with low privileges to execute arbitrary code and take full control of the affected SAP system.
SecurityBridge is warning organizations about the exploitation of the vulnerability, but the security company’s director of research, Joris van de Vis, told SecurityWeek that they are not disclosing further details on the attacks at this time.
Van de Vis did confirm that SecurityBridge has seen malicious exploitation of CVE-2025-42957 in customer environments, noting that the company is aware of multiple exploits.
The expert also pointed out that the vulnerability “is of relatively low complexity” and “skilled professionals with good SAP and/or security expertise can readily develop working exploits”.
SecurityBridge said in its blog post that successful exploitation of the flaw can enable an attacker to delete data from or insert data into the SAP database, create new SAP users with elevated privileges, download password hashes, and modify business processes.
“A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware,” SecurityBridge warned.
The security firm said it has not seen widespread exploitation, but organizations concerned about attacks can check logs for indicators of compromise (IoCs) such as suspicious RFC calls, new admin users, and unexpected ABAP code changes.
It’s not uncommon for threat actors to exploit SAP product vulnerabilities in their attacks. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes 14 SAP product flaws.
Related: SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover
Related: Organizations Warned of Exploited SAP, Gpac and D-Link Vulnerabilities
Related: Exploited Vulnerability Exposes Over 400 SAP NetWeaver Servers to Attacks
