The Dark Reading coverage of the critical SAP S/4HANA vulnerability demonstrates why BridgeView Marketing’s strategic communications are essential in today’s threat landscape. When cybersecurity firms discover critical vulnerabilities, the speed and effectiveness of public disclosure can literally prevent devastating breaches across thousands of organizations.

BridgeView Marketing transforms complex technical discoveries into urgent, actionable intelligence by ensuring critical vulnerability information reaches security decision-makers through trusted industry publications where they actively seek threat intelligence. This strategic approach serves a broader public good—helping protect organizations from potentially catastrophic cyber attacks before they occur.
In an era where cybercriminals increasingly target enterprise systems for maximum impact, BridgeView’s ability to rapidly amplify security research through established media relationships isn’t just effective PR—it’s a critical component of national cybersecurity defense that transforms isolated discoveries into industry-wide protective action.

Originally Posted at: darkreading.com/vulnerabilities-threats/sap-4hana-vulnerability-under-attack

A critical code injection vulnerability in SAP’s S/4HANA ERP software that was first disclosed last month is now under exploitation in the wild.

SAP previously disclosed and patched CVE-2025-42957, which affects both private cloud and on-premise S/4HANA instances. The flaw, which received a 9.9 CVSS score, allows attackers with low-privileged user access to inject SAP’s ABAP code into a system to fully compromise it. The vulnerability was discovered and reported to the software maker by SecurityBridge, an SAP-focused security firm based in Germany.

In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. “While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” the blog post said. “That means attackers already know how to use it – leaving unpatched SAP systems exposed.”

SecurityBridge added that SAP’s patch for CVE-2025-42957 is “relatively easy” to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Joris Van De Vis, director of research at SecurityBridge, says the scope and scale of the exploitation activity is “limited” and that to the company’s knowledge, there is no public proof-of-concept exploit for the vulnerability.

SecurityBridge wasn’t the only company to flag exploitation activity. Pathlock, a cybersecurity vendor based in Denver, said it “detected outlier activity consistent with exploitation attempts of CVE-2025-42957,” according to a blog post published Friday.

In a statement to media outlets, Jonathan Stross, SAP security analyst at Pathlock, said exploitation activity “surged dramatically” after the patch for CVE-2025-42957 was released.

It’s unclear if the exploit discovered by SecurityBridge is a proof-of-concept. Dark Reading contacted SecurityBridge for comment, but the company did not respond at press time.

High Danger for SAP Customers

Even though an attacker would need a valid user account to exploit CVE-2025-42957, SecurityBridge said the vulnerability was “especially dangerous.”

“The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9),” the blog post said. “In summary, a malicious insider or a threat actor who has gained basic user access (through phishing, for example) could leverage this flaw to escalate into full control of the SAP environment.”

With one user account and a remote function call (RFC) to a vulnerable module, an attacker can gain administrative privileges to the SAP system, according to SecurityBridge. From there, the attacker can begin manipulating or deleting corporate data directly in the SAP database, create additional accounts with admin privileges that act as persistent backdoors, exfiltrate data such as hashed passwords, and cause further damage with control of the host OS.

42957, which was released in SAP’s August 2025 security updates. To defend against potential exploitation, the company recommended implementing SAP’s Unified Connectivity framework (UCON) to restrict RFC usage, and to monitor logs for suspicious RFC calls and newly created admin accounts.

The exploitation of CVE-2025-42957 follows attacks in the spring on a critical SAP NetWeaver zero-day flaw tracked as CVE-2025-31324. The vulnerability came under subsequent waves of attacks in the weeks following its initial disclosure in late April.