SecurityBridge warned that CVE-2025-42957 allowed hackers with minimal system rights to mount “an entire system compromise with minimal effort required, the place profitable exploitation can simply result in fraud, information theft, espionage, or the set up of ransomware.”
The safety agency went on to write down:
The attacker wants solely low-level credentials on the SAP system (any legitimate person account with permissions to name the weak RFC module and the precise S_DMIS authorization with exercise 02), and no person interplay is required.
The assault complexity is low and will be carried out over the community, which is why the CVSS rating is so excessive (9.9). In abstract, a malicious insider or a menace actor who has gained primary person entry (by phishing, for instance) may leverage this flaw to escalate into full management of the SAP setting.
SAP, for its half, warned: “This flaw operates as a backdoor, permitting unauthorized entry to SAP techniques and jeopardizing confidentiality, integrity, and availability. With out rapid mitigation, your SAP S/4HANA system could possibly be severely compromised.” The submit makes no point out of energetic exploitation.
Different vulnerabilities SAP reported Tuesday affected a variety of merchandise, together with SAP Enterprise One, SAP Panorama Transformation Replication Server, SAP Commerce Cloud, SAP Datahub, SAP Enterprise Planning and Consolidation, SAP HCM, SAP BusinessObjects Enterprise Intelligence Platform, SAP Provider Relationship Administration, and Fiori. Severity scores of these vulnerabilities vary from 3.1 to eight.8.
All vulnerabilities talked about on this submit, notably these with excessive severity scores, ought to be patched as quickly as potential. SAP has extra info on its safety web page.
