SAP code injection in S/4HANA: are low-privilege controls enough?

TL;DR: CVE-2025-42957 is a critical SAP S/4HANA code injection flaw that lets a low-privilege user reach vulnerable RFC paths and take full control, with SAP fixing it in August 2025 and Pathlock reporting exploitation attempts in telemetry. The incident shows that privilege level alone is not a safety signal when network-reachable execution paths remain open.

NHIMG editorial — based on content published by Pathlock covering CVE-2025-42957 in SAP S/4HANA

By the numbers:

• CVE-2025-42957 is a critical (9.9) SAP S/4HANA Code Injection Vulnerability allowing an attacker with low user privileges to take full control of an organization’s SAP system.
• SAP released fixes on August 12, 2025 for Note 3627998 and, if SLT/DMIS is in scope, Note 3633838.
• Pathlock Research Lab telemetry has detected outlier activity consistent with exploitation attempts of CVE-2025-42957.

Questions worth separating out

Q: What breaks when SAP RFC modules are reachable by low-privilege users?

A: A low-privilege account can become a code execution path when a remote-enabled function module accepts injected ABAP.

Q: Why do SAP code injection flaws create such large identity risk?

A: They let an ordinary user leverage application trust to cross into privileged execution without first compromising an admin account.

Q: What do security teams get wrong about patching SAP vulnerabilities?

A: They often treat patching as an infrastructure task instead of a control-state change.

Practitioner guidance

• Patch SAP S/4HANA immediately Apply SAP Note 3627998 for CVE-2025-42957 and, where relevant, Note 3633838 for SLT/DMIS.
• Restrict RFC reachability to the smallest viable module set Use UCON and RFC allowlists to expose only approved remote-enabled function modules.
• Review S_RFC and callback trust as one control surface Check S_RFC permissions, RFC callback allowlists, and rfc/callback_security_method together so a permitted destination cannot become a code execution path.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• Specific SAP Security Notes and the exact vulnerable function modules named in the advisory.
• Telemetry notes on exploitation attempts observed by Pathlock Research Lab.
• Concrete mitigation steps for UCON allowlisting, RFC callback hardening, and SAP authorisation review.
• Pathlock product details for detection, vulnerability management, and transport controls that sit beyond this analysis.

👉 Read Pathlock's analysis of CVE-2025-42957 and SAP S/4HANA code injection →

SAP code injection in S/4HANA: are low-privilege controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →