The National Computer Emergency Response Team (NCERT) has issued a critical security advisory regarding a newly disclosed vulnerability in SAP S/4HANA systems, used in businesses worldwide.
The flaw, tracked as CVE-2025-42957 with a CVSS score of 9.9, exists in the Remote Function Call (RFC) module due to insufficient input validation. The vulnerability allows attackers to remotely inject malicious code into SAP environments, requiring only low-level credentials and no user interaction.
According to the advisory, exploitation of this vulnerability could result in remote code execution, unauthorized access, privilege escalation, system compromise, theft of sensitive enterprise data, and the deployment of ransomware or spyware. Given SAP’s widespread use in enterprise resource planning (ERP) and mission-critical operations, the flaw is considered one of the most severe threats to business systems in recent years. NCERT confirmed that the vulnerability is already being actively exploited in the wild.
The advisory highlights that multiple versions of SAP products are affected, including S/4HANA (both private cloud and on-premise), Business One, Landscape Transformation components, and NetWeaver Application Server ABAP. Organizations using vulnerable versions of these products have been urged to apply SAP’s September 2025 security updates without delay. Internet-facing and high-priority instances are especially at risk if left unpatched.
For organizations unable to patch immediately, NCERT recommended temporary mitigations such as restricting access to trusted networks, deploying Web Application Firewall (WAF) rules to block suspicious payloads, and monitoring system logs for unusual RFC activity or privilege escalations. Strengthening access controls, enforcing least-privilege policies, and continuous monitoring of SAP traffic were also advised as part of a broader security posture.
NCERT emphasized that timely patching remains the most effective defense against this threat. Security teams have been instructed to integrate SAP-specific exploits into their incident response plans, validate backup readiness, and remain vigilant for indicators of compromise linked to CVE-2025-42957. Failure to act promptly could result in full compromise of enterprise business systems, putting critical data and operations at risk.