A critical vulnerability in SAP S/4HANA is being actively exploited in the wild, allowing attackers with low-level user access to gain complete control over affected systems.

The vulnerability, tracked as CVE-2025-42957, carries a CVSS score of 9.9 out of 10, signaling a severe and imminent threat to organizations running all releases of S/4HANA, both on-premise and in private clouds.

The flaw was discovered by researchers at SecurityBridge Threat Research Labs, who have now verified that malicious actors are already using it.

SAP released a patch on August 11, 2025, and experts are urging all customers to apply the security updates immediately.

SAP S/4HANA Vulnerability Actively Exploited

Successful exploitation of this ABAP code injection vulnerability grants an attacker full administrative privileges. This allows them to access the underlying operating system and gain complete control over all data within the SAP system.

The consequences are dire and can include the theft of sensitive business information, financial fraud, espionage, or the deployment of ransomware.

An attacker could delete or insert data directly into the database, create new administrator accounts with SAP_ALL privileges, download password hashes, and modify core business processes with minimal effort.

What makes CVE-2025-42957 particularly dangerous is its low attack complexity. An attacker only needs access to a low-privileged user account, which could be obtained through phishing or other common methods.

From there, they can exploit the flaw over the network without any user interaction, escalating their privileges to achieve a full system compromise.

SecurityBridge, which responsibly disclosed the vulnerability to SAP on June 27, 2025, warns that unpatched systems are exposed to immediate risk.

Because SAP’s ABAP code is open, reverse engineering the patch to create a working exploit is a relatively simple task for skilled attackers.

Mitigations

Security experts have issued clear guidance for organizations to protect themselves:

• Patch Immediately: Apply SAP’s August 2025 security updates, specifically SAP Notes 3627998 and 3633838, without delay.
• Review Access: Restrict access to the S_DMIS authorization object and consider implementing SAP UCON to limit RFC usage.
• Monitor System Logs: Actively watch for suspicious RFC calls, the creation of new high-privilege users, or unexpected changes to ABAP code.
• Harden Defenses: Ensure robust system segmentation, regular backups, and SAP-specific security monitoring solutions are in place to detect and respond to attacks.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Critical SAP S/4HANA Vulnerability Actively Exploited to Fully Compromise Your SAP System appeared first on Cyber Security News.

A critical, zero-click vulnerability that allows attackers to hijack online accounts by exploiting how web applications handle international email addresses.

The flaw, rooted in a technical discrepancy known as a “canonicalization mismatch,” affects password reset and “magic link” login systems, which are foundational to modern web security.

According to NullSecurityX, the attack requires no interaction from the victim, making it exceptionally dangerous. An attacker can gain full control of an account simply by requesting a password reset using a specially crafted email address that appears identical to the victim’s.

This method bypasses the need for phishing or tricking the user into clicking a malicious link.

The vulnerability stems from the interplay between Unicode, which allows for characters from various languages in domain names (Internationalized Domain Names or IDN), and Punycode, the system that converts these characters into the standard ASCII format used by internet infrastructure.

0-Click Vulnerability Using Punycode

Attackers can register a domain using Unicode characters that are visually indistinguishable from standard letters, such as a Cyrillic ‘o’ instead of a Latin ‘o’.

According to a technical analysis of the vulnerability, the attack unfolds when a web application’s backend processes a password reset request.

For example, an attacker might request a password reset for “victim@gmail.com” but submit the address using a “full-width” ‘m’ (gｍail.com).

The application’s front-end or validation logic may fail to distinguish between the legitimate address and the visually confusable one, approving the request.

However, when the email system sends the reset link, it correctly routes it to the attacker-controlled Punycode version of the domain (e.g., xn--...). The attacker then receives the privileged link and takes over the account, while the legitimate user remains completely unaware.

This “0-click” nature is what makes the threat so severe. The compromise is not a result of user error but a fundamental flaw in how different layers of an application, from the user interface and validation rules to the database and mail servers, handle email addresses.

Each component may interpret the Unicode and Punycode versions differently, creating a gap that attackers can exploit, NullSecurityX said.

“The result is that two addresses that look the same to humans can be handled as different strings by the mail transport,” the research paper states.

Since email often serves as the ultimate “trust anchor” for recovering access to countless other online services, a compromise can have a cascading effect.

Experts are urging developers to immediately review and fortify their authentication systems. Mitigation requires implementing consistent normalization of email addresses across all system components, using robust validation libraries that understand Unicode confusables, and ensuring that database lookups are not susceptible to these visual tricks.

This silent but potent threat highlights the need for a deeper, code-level understanding of how seemingly simple data like an email address is processed and trusted.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Critical 0-Click Vulnerability Enables Attackers to Takeover Email Access Using Punycode appeared first on Cyber Security News.