CVE-2025-42957: Critical Vulnerability in SAP S/4HANA Under Active Exploitation
In August 2025, SAP released Security Note 3627998 to address vulnerability CVE-2025-42957, rated with a CVSS score of 9.9 – Critical, making it one of the most severe SAP security vulnerabilities in recent years.
The flaw affects multiple versions of SAP S/4HANA (S4CORE 102–108) and resides in an RFC (Remote Function Call) module that fails to properly validate input parameters.
This means an attacker with limited credentials and privileges can inject ABAP code directly into the vulnerable SAP system, escalating privileges and gaining full control of the SAP platform.
Alarmingly, this is no longer just a theoretical risk. Multiple cybersecurity teams and independent SAP security researchers are claiming active exploitation attempts in production environments.
Why is this SAP vulnerability critical?
A compromised SAP S/4HANA system due to this flaw opens the door to theft of sensitive business data, user credentials, and intellectual property, with direct implications for compliance with SOX, GDPR, or PCI-DSS.
It also enables manipulation of core SAP business processes such as billing, payroll, or supply chain management.
In the worst-case scenario, attackers could deploy ransomware inside SAP systems, completely paralyzing operations.
In industries like banking, energy, or manufacturing, every hour of downtime can translate into multi-million-dollar losses.
The SAP Patch: What it Includes and How to Apply It
SAP Note 3627998 delivers code fixes for the vulnerable RFC module, strengthening validation of inbound calls. The patch is distributed via the SAP ONE Support Launchpad and can be applied using standard maintenance tools (SPAM/SAINT or SUM – Software Update Manager).
The biggest challenge is that many organizations cannot deploy the fix immediately due to restrictions on SAP production downtime. Meanwhile, public exploits are already circulating, and attackers are actively scanning for this SAP vulnerability.
For this reason, SAP recommends applying the patch as soon as possible, validating first in DEV/QA environments before moving to production.
Until then, it is critical to enable cybersecurity mitigation measures for SAP, such as UCON specialized monitoring (e.g., Vicxer Security Monitor) to detect exploitation attempts.
How Vicxer Helps Close the SAP Security Gap
At Vicxer, we understand that time is a critical factor in SAP cybersecurity. Our platform already includes a dedicated detection signature for CVE-2025-42957, capable of identifying exploitation attempts in real time, preventing and alerting against attacks on the SAP system.
Beyond detection, we apply a virtual patching approach for SAP security: security rules that block attack vectors even on systems where the official SAP patch has not yet been deployed. This provides vital time to plan maintenance without leaving the SAP landscape exposed.
Unlike traditional methods, Vicxer correlates SAP logs with network data and orchestrates response alongside the SOC. The result is something tangible: a clear map of how the vulnerability could impact business-critical SAP processes such as payroll, invoicing, or logistics, with both technical and executive-level visibility.
What To Do Now
If your organization uses SAP S/4HANA versions S4CORE 102–108, the top priority is to immediately verify whether SAP patch 3627998 has been applied. If not, schedule installation as soon as possible.
In the meantime, don’t wait idly; activate specialized SAP monitoring and cybersecurity controls to gain visibility over your SAP systems.
In this link, you can book a free express workshop with a SAP security Expert from Vicxer where we demonstrate live how to detect and stop exploitation attempts of this vulnerability in real SAP environments. [Schedule your workshop here ]