ABAP Code Injection Vulnerability in SAP S/4HANA by SAP
CVE-2025-42957

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP S/4hana (private Cloud Or On-premise)
Vendor: CVE Published:; 12 August 2025

What is CVE-2025-42957?

In SAP S/4HANA, a vulnerability exists where an attacker with user credentials can exploit a flaw in the function module accessed via Remote Function Call (RFC). This issue allows unauthorized injection of arbitrary ABAP code, circumventing critical authorization checks and acting as a backdoor. The exploitation of this vulnerability poses significant risks to the system's confidentiality, integrity, and availability, potentially leading to a full system compromise.

Affected Version(s)

SAP S/4HANA (Private Cloud or On-Premise) S4CORE 102

SAP S/4HANA (Private Cloud or On-Premise) 103

SAP S/4HANA (Private Cloud or On-Premise) 104

References

https://me.sap.com/notes/3627998

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2025
Vulnerability Reserved
Apr 16, 2025