A newly disclosed vulnerability in SAP S/4HANA (CVE-2025-42957) has entered active exploitation, putting healthcare organizations at risk if they have not yet applied SAP’s August 2025 Patch Day updates. The flaw, which scores 9.9 on the CVSS scale, is an ABAP code injection vulnerability that allows attackers with even low-privileged credentials to inject arbitrary code, bypass authorizations, and take full control of SAP systems.
SAP platforms are widely used in healthcare for finance, procurement, logistics, and supply chain management. Exploitation in these contexts could lead to stolen patient data, manipulation of billing or insurance records, and disruptions in the procurement of medicines and medical devices. SecurityBridge, the firm that discovered the bug, confirmed that it has observed actual exploitation in the wild — even though large-scale attacks have not yet been reported.
The vulnerability lies in an RFC-exposed function module of SAP S/4HANA and related products. Because ABAP code is openly accessible, threat actors can easily reverse engineer the vendor’s patch to recreate the exploit, meaning unpatched systems are essentially low-hanging fruit. Once compromised, attackers can run system-level commands, escalate privileges through the creation of backdoor accounts, dump credentials, and deploy ransomware or other malware.
For hospitals and health systems, this could translate to operational downtime, locked medical records, delayed patient care, or even canceled surgeries if resource planning systems are taken offline. Beyond immediate disruption, the risk of data manipulation and theft of sensitive patient or financial records could trigger regulatory investigations and compliance fines.
Vulnerable products include S/4HANA (Private Cloud and On-Premise) versions S4CORE 102–108, Landscape Transformation DMIS, Business One (SLD), and NetWeaver Application Server ABAP and SEM-BW variants. SAP released fixes on August 11, 2025, but many healthcare organizations have not yet applied them, creating an urgent exposure window.
SecurityBridge warns that while exploitation remains limited, the ease of developing working exploits means widespread attacks are likely imminent. Healthcare administrators should act immediately to apply the patches, enforce strict access controls, and monitor SAP logs for anomalies that may indicate abuse.
Healthcare IT leaders should treat CVE-2025-42957 as an urgent priority. Hospitals and medical networks that delay patching risk disruptions in core services, theft of sensitive patient data, and cascading supply chain failures. The safest path forward is to apply SAP’s August 2025 updates without delay, rotate and audit privileged accounts, and establish proactive monitoring for SAP environments. In healthcare, where IT failures directly affect patient safety, patching isn’t just a technical necessity — it’s a patient care imperative.
