CVE-2025-42957

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3627998
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

12 Aug 2025, 14:25

Type	Values Removed	Values Added
Summary		(es) SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo de función expuesta mediante RFC. Esta falla permite la inyección de código ABAP arbitrario en el sistema, omitiendo las comprobaciones de autorización esenciales. Esta vulnerabilidad funciona como una puerta trasera, creando el riesgo de comprometer completamente el sistema y socavando su confidencialidad, integridad y disponibilidad.

12 Aug 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 03:15

Updated : 2025-08-12 14:25

NVD link : CVE-2025-42957

Mitre link : CVE-2025-42957

CVE.ORG link : CVE-2025-42957

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.9 /10