Introduction
Attackers leveraging SAP S/4HANA code injection flaws have demonstrated the ability to bypass critical authorization controls and achieve full system compromise. For organizations running SAP S/4HANA, this means that a single vulnerability can undermine the confidentiality, integrity, and availability of core business operations.
SAP SE is a dominant force in enterprise software, with over 440,000 customers worldwide and SAP S/4HANA as its flagship ERP suite. The platform is central to business processes across industries, making vulnerabilities in its core components highly impactful for the global tech ecosystem.
Technical Information
CVE-2025-42957 is a critical vulnerability in SAP S/4HANA that allows authenticated attackers to inject arbitrary ABAP code via exposed RFC-enabled function modules. The flaw is classified as CWE-94 (Improper Control of Generation of Code) and carries a CVSS score of 9.9.
The vulnerability arises from insufficient input validation and sanitization in specific RFC function modules. When an attacker with valid SAP credentials and S_RFC authorizations invokes a vulnerable function module, they can supply crafted input that is directly used in dynamic ABAP code execution constructs. This bypasses standard authorization checks and enables arbitrary code execution within the SAP environment.
Exploitation enables attackers to:
- Escalate privileges by assigning themselves additional authorizations or creating new privileged accounts
- Modify or create SAP programs within standard namespaces, establishing persistent backdoors
- Bypass system and client modifiability locks
The vulnerability is similar to CVE-2025-27429, which affected SAP S/4HANA prior to April 2025 and was discovered in a function module of fewer than 40 lines of code. The attack vector relies on the ability to invoke RFC-enabled modules with crafted parameters, leveraging ABAP's dynamic code generation features such as INSERT REPORT or GENERATE SUBROUTINE POOL.
Affected Systems and Versions
- SAP S/4HANA (exact affected versions not specified in public sources)
- Vulnerability is present in RFC-enabled function modules prior to the patch provided in SAP Security Note 3627998
- Similar vulnerabilities (e.g., CVE-2025-27429) affected SAP S/4HANA versions prior to April 2025
- Both private cloud and on-premise deployments are impacted
Vendor Security History
SAP has a recurring history of critical vulnerabilities in its RFC and ABAP code execution pathways. Notable examples include:
- CVE-2025-27429 (ABAP code injection via RFC, patched April 2025)
- CVE-2025-42967 (code injection in SAP S/4HANA and SCM, patched July 2025)
- CVE-2025-31324 and CVE-2025-42999 (Visual Composer vulnerabilities actively exploited by APT groups)
The vendor maintains a monthly patch cycle and collaborates with external security researchers. Patch response times have improved, and SAP provides detailed advisories and CVSS scoring. However, the persistence of RFC and code injection flaws indicates ongoing challenges in secure development practices.