NCERT has issued an urgent advisory regarding a critical security vulnerability in SAP S/4HANA, tracked as CVE-2025-42957. With a CVSS score of 9.9, the flaw ranks among the most severe security risks, enabling attackers to inject malicious code remotely with minimal effort. The vulnerability lies within the Remote Function Call (RFC) module due to improper input validation, allowing exploitation that requires only low-level credentials without any user interaction. Given the widespread adoption of SAP across global enterprises, the potential impact includes remote code execution, unauthorized access, complete system compromise, and data exfiltration.
According to the advisory, exploitation is already being observed in the wild. Attackers who gain access to unpatched environments can escalate privileges, deploy malware, or exfiltrate sensitive enterprise data. Threat scenarios include ransomware deployment, spyware installation, and persistent backdoor access, all of which could undermine critical business functions. The flaw impacts several SAP environments, including S/4HANA private cloud and on-premise installations, SAP Landscape Transformation components, Business One, and NetWeaver Application Server ABAP. Multiple core versions from S4CORE 102 to 108 are confirmed as vulnerable, along with DMIS, SEM-BW, and SAP-M-BO releases.
The attack complexity is rated low, with exploitation achievable over the network through RFC calls. Low-level credentials, which could be obtained through phishing or credential theft, are sufficient to execute malicious payloads. This makes the flaw particularly dangerous, as many enterprise SAP environments are directly connected to critical workflows. NCERT has stressed that organizations must prioritize patching internet-facing and mission-critical systems, given the urgency of the threat. Temporary mitigations such as restricting access to trusted networks, monitoring for suspicious RFC activity, and enforcing Web Application Firewall (WAF) protections may reduce exposure but are not considered a substitute for patching.
NCERT recommends immediate deployment of SAP’s September 2025 security updates to address CVE-2025-42957. Administrators are advised to verify their current release versions against SAP’s published security notes and apply the latest available fixes without delay. Additional measures include strengthening SAP account privilege policies, continuously monitoring system logs for abnormal activity, and integrating anomaly detection solutions across enterprise environments. Organizations are also encouraged to update incident response plans to account for SAP-specific exploits and ensure backup recovery procedures are validated. Given the active exploitation of this vulnerability, NCERT has urged all entities to treat this advisory as a top priority to safeguard business-critical operations.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
