SAP S/4HANA Vulnerability Exploitation: Mitigation and Monitoring with SAP Enterprise Threat Detection

A critical ABAP code injection vulnerability (CVE-2025-42957) has been discovered in SAP S/4HANA, allowing attackers to inject arbitrary code and bypass authorization checks. SAP Enterprise Threat Detection can monitor and flag potential exploitation of this vulnerability. To secure your SAP system, apply the correction instructions or support packages referenced by SAP Note 3627998, add /SLOAE/DEPLOY to ABAP Blocklisted Function Modules in SAP Enterprise Threat Detection, and regularly audit your system for unauthorized access and fraud.

A critical security vulnerability, CVE-2025-42957, has been discovered in SAP S/4HANA, an Enterprise Resource Planning (ERP) software widely used by businesses for managing their operations. This vulnerability, a command injection flaw, allows attackers with user privileges to inject arbitrary ABAP code into the system, bypassing essential authorization checks.

The vulnerability, tracked as CVE-2025-42957 with a CVSS score of 9.9, was fixed by SAP as part of its monthly updates last month. According to the NIST National Vulnerability Database (NVD), the flaw enables the injection of arbitrary ABAP code into the system, potentially leading to a full system compromise. Successful exploitation could result in unauthorized access, data theft, and system manipulation, including the creation of superuser accounts with SAP_ALL privileges and the alteration of business processes [1].

SecurityBridge Threat Research Labs has observed active exploitation of this vulnerability, indicating that both on-premise and Private Cloud editions of SAP S/4HANA are at risk. Exploitation requires minimal effort and can lead to fraud, data theft, espionage, or the installation of ransomware [1]. While widespread exploitation has not been detected, the potential for such exploitation remains high, given the ease with which threat actors can reverse-engineer the patch to create an exploit.

Organizations are advised to apply the patches as soon as possible, monitor logs for suspicious activity, and ensure appropriate segmentation and backups are in place. Additionally, implementing SAP UCON to restrict RFC usage and reviewing and restricting access to authorization object S_DMIS activity 02 can help mitigate the risk [1].

SAP Enterprise Threat Detection (SAP ETD) plays a crucial role in identifying and mitigating such vulnerabilities. By adding the function module /SLOAE/DEPLOY to the value list ABAP Blocklisted Function Modules, SAP ETD can monitor and flag potential exploitation of this vulnerability. Regular audits of the system for unauthorized access and fraudulent behavior are also recommended [2].

To secure your SAP system, apply the correction instructions or support packages referenced by SAP Note 3627998. Monitor attempts to exploit this vulnerability using SAP ETD and regularly audit your system for signs of exploitation [2].

References:
[1] https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html
[2] https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/protect-your-sap-s-4hana-from-critical-code-injection-vulnerability-cve/ba-p/14208866