Security Operations, SOC, Patch/Configuration Management, Vulnerability Management, Exposure management

SAP patches three critical 9.9 S/4 HANA bugs

SAP is a German based multinational software corporation

On its Aug. 12 “Security Patch Day,” SAP released 19 security notes — four of which were previously released — and three were patches to critical 9.9 bugs found on its SAP S/4 HANA ERP system.

S/4 HANA is SAP’s flagship ERP platform, widely deployed across Fortune 500 companies and critical industries, including manufacturing, finance, healthcare, and defense. 

“The interconnected nature of these systems means that if attackers gain access to one vulnerable instance, they can potentially pivot to adjacent systems through trusted remote function call (RFC) connections or reuse of credentials,” said Jonathan Stross, SAP Security Analyst at Pathlock. “This makes prompt patching absolutely essential.”

J Stephen Kowski, Field CTO at SlashNext Email Security, added that successful exploitation of S/4HANA can “absolutely” drive lateral movement.

“Once code runs in SAP’S ABAP programming language with elevated privileges, attackers can pivot via RFCs, job scheduling, connected middleware, and identity integrations to reach other systems,” he said.

Here's a rundown from Pathlock's Stross on the three 9.9 critical patches, which he said teams should patch immediately.

CVE-2025-27429: Code Injection via RFC in S/4HANA

An attacker with low privileges can inject arbitrary ABAP code (SAP's programming language) into systems via RFC function modules in the Landscape Transformation stack. The vulnerability allows full system compromise, impacting confidentiality, integrity, and availability. Apply this patch immediately across all S/4HANA systems using CA-LT-ANA.

CVE-2025-42950 – Code Injection in SAP Landscape Transformation

Same core vulnerability as the previous bug, but found in systems using SAP Landscape Transformation (SLT) Analysis Platform. Exploitation leads to remote ABAP execution and potentially full system takeover. Patch SLT and restrict RFC access to transformation modules.

CVE-2025-42957 – Code Injection in S/4HANA Analytics

Affects the analytics transformation layer in S/4HANA. Malicious input through RFC interfaces allows arbitrary code injection with high privileges. Treat as an emergency patch, an apply across all analytical/data transformation endpoints.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds