The Register: Critical, make-me-super-user SAP S/4HANA bug under active exploitation

Sep 5, 2025

—

Source URL: https://www.theregister.com/2025/09/05/critical_sap_s4hana_bug_exploited/
Source: The Register
Title: Critical, make-me-super-user SAP S/4HANA bug under active exploitation

Feedly Summary: 9.9-rated flaw on the loose, so patch now
A critical code-injection bug in SAP S/4HANA that allows low-privileged attackers to take over your SAP system is being actively exploited, according to security researchers.…

AI Summary and Description: Yes

Summary: A critical code-injection vulnerability has been identified in SAP S/4HANA, rated 9.9 on the CVSS scale, allowing low-privileged attackers to potentially take over SAP systems. Immediate patching is recommended to mitigate risks associated with this vulnerability.

Detailed Description: This text highlights a severe security vulnerability that poses a significant risk to organizations using SAP S/4HANA. The classification of this issue mainly falls under Information Security and Software Security, given that it pertains to vulnerabilities within software systems and their implications for organizational security.

Key insights include:
– **Severity**: The vulnerability has a CVSS score of 9.9, indicating critical risk and urgency for organizations to address it.
– **Vulnerability Type**: Described as a code-injection bug, which implies that attackers may exploit it to execute malicious code within the SAP environment.
– **Target Audience**: Low-privileged attackers can exploit this issue, meaning that even those with limited access can potentially gain elevated privileges within the system.
– **Recommended Actions**: Security researchers emphasize the need for immediate patching, highlighting the importance of proactive security measures in software management.

Implications for security and compliance professionals:
– **Proactive Security**: Organizations must stay vigilant about quickly applying patches to critical vulnerabilities to protect sensitive business data and processes.
– **Risk Management**: Understanding the implications of a high CVSS score is crucial for prioritizing security efforts.
– **Incident Response**: Preparing an incident response strategy for potentially compromised systems is paramount, as low-privileged attackers could significantly damage the integrity and confidentiality of sensitive information.

More extensive measures should include regular security assessments and updates, continuous education for staff on security best practices, and the implementation of strict access controls to reduce the risks posed by vulnerabilities like this one.

2 2025 4 5 a access access control access controls Act actions active exploitation age AI All and app Arch as assessment assessments at ated attack attacker attackers Audience being Best best practices Bi Bug business business data by C CI CIA class classification co code compliance compliance professionals compromised compromised systems confidentiality continuous control controls core critical critical risk CVSS D data de e education end environment exp exploit Exploitation for g Gen GIS H high Highlight http HTTPS implementation implications implications for security in incident incident response incident response strategy information information security injection injection bug Injection vulnerability insights integrity io Iron issue ite J k Key l law led Li low M malicious code man management mean measures media N no o of on one ons organization organizational security organizations oS out over Patch patches patching per potential practices pre privilege pro proactive proactive security proactive security measures process processes professionals ps Q QUIC R rate RCE re red regular security assessments research researchers response response strategy Risk risk management risks Ro RoT s S/4 SAP Scale search sec security security and compliance security assessment security assessments security best practices security efforts security measure security measures Security Research Security Researcher security researchers security vulnerability sensitive information severity Sig size SoC software software management software security software systems source SSE SSO Strategy system systems T target ted text the to TP type UI under up update updates US use user V vulnerabilities vulnerability Ware Wi x z