Arbitrary Code Injection Vulnerability in SAP S/4HANA
CVE-2025-27429

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP S/4hana (private Cloud)
Vendor: CVE Published:; 8 April 2025

What is CVE-2025-27429?

SAP S/4HANA is vulnerable due to a flaw in the function module exposed via Remote Function Call (RFC), allowing authenticated users to inject arbitrary ABAP code. This breach bypasses vital authorization checks, effectively acting as a backdoor to the system. The vulnerability poses significant risks including potential system compromise, undermining the system's confidentiality, integrity, and availability.

Affected Version(s)

SAP S/4HANA (Private Cloud) S4CORE 102

SAP S/4HANA (Private Cloud) 103

SAP S/4HANA (Private Cloud) 104

References

https://me.sap.com/notes/3581961

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Feb 25, 2025