Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SAP code injection in S/4HANA: are low-privilege controls enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: CVE-2025-42957 is a critical SAP S/4HANA code injection flaw that lets a low-privilege user reach vulnerable RFC paths and take full control, with SAP fixing it in August 2025 and Pathlock reporting exploitation attempts in telemetry. The incident shows that privilege level alone is not a safety signal when network-reachable execution paths remain open.

NHIMG editorial — based on content published by Pathlock covering CVE-2025-42957 in SAP S/4HANA

By the numbers:

Questions worth separating out

Q: What breaks when SAP RFC modules are reachable by low-privilege users?

A: A low-privilege account can become a code execution path when a remote-enabled function module accepts injected ABAP.

Q: Why do SAP code injection flaws create such large identity risk?

A: They let an ordinary user leverage application trust to cross into privileged execution without first compromising an admin account.

Q: What do security teams get wrong about patching SAP vulnerabilities?

A: They often treat patching as an infrastructure task instead of a control-state change.

Practitioner guidance

  • Patch SAP S/4HANA immediately Apply SAP Note 3627998 for CVE-2025-42957 and, where relevant, Note 3633838 for SLT/DMIS.
  • Restrict RFC reachability to the smallest viable module set Use UCON and RFC allowlists to expose only approved remote-enabled function modules.
  • Review S_RFC and callback trust as one control surface Check S_RFC permissions, RFC callback allowlists, and rfc/callback_security_method together so a permitted destination cannot become a code execution path.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

  • Specific SAP Security Notes and the exact vulnerable function modules named in the advisory.
  • Telemetry notes on exploitation attempts observed by Pathlock Research Lab.
  • Concrete mitigation steps for UCON allowlisting, RFC callback hardening, and SAP authorisation review.
  • Pathlock product details for detection, vulnerability management, and transport controls that sit beyond this analysis.

👉 Read Pathlock's analysis of CVE-2025-42957 and SAP S/4HANA code injection →

SAP code injection in S/4HANA: are low-privilege controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Low privilege is not a meaningful safety boundary when the execution path is trusted more than the caller. CVE-2025-42957 shows that SAP identity assumptions can fail even when the user account itself is ordinary. The real problem is that a reachable RFC path can convert basic access into code execution before conventional privilege controls ever matter. Practitioner implication: identity governance has to account for trusted execution surfaces, not just user entitlements.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the same report.

A question worth separating out:

Q: Who is accountable when an unpatched SAP injection flaw is exploited?

A: Accountability usually spans SAP platform owners, security operations, and the teams governing privileged access and change control. If RFC exposure, patch verification, and authorization review are split across functions, no one owns the full blast radius. That makes governance alignment as important as technical remediation.

👉 Read our full editorial: SAP S/4HANA code injection exposes the limits of low-privilege trust



   
ReplyQuote
Share: