Critical SAP S/4HANA Code Injection Flaw Exploited in the Wild
Security researchers have confirmed active exploitation of a newly disclosed code injection vulnerability in SAP S/4HANA systems, tracked as CVE-2025-42957. This vulnerability allows attackers to gain complete control over vulnerable SAP environments, a development likely to impact large enterprises relying on these mission-critical ERP solutions.
Vulnerability Overview
CVE-2025-42957 is a critical code injection vulnerability affecting the SAP S/4HANA platform. The flaw enables unauthenticated attackers to inject and execute arbitrary code in the context of the application server. Its root cause is attributed to insufficient input validation in a core module that processes user-supplied data, ultimately allowing attackers to escape intended controls and interact with underlying operating system resources.
Attack Vector and Impact
The vulnerability can be remotely exploited via crafted HTTP requests carrying malicious payloads to vulnerable SAP S/4HANA endpoints. Once successfully executed, attackers acquire system-level privileges, enabling data exfiltration, credential dumping, lateral movement across associated business subsystems, and even the deployment of persistent malware or ransomware.
Technical Details and Exploit Activity
Security experts have identified active attempts to scan for and exploit SAP endpoints exposed to public networks. Attackers leverage automated tools that enumerate vulnerable installations using fingerprinting mechanisms drawn from public SAP-specific signatures, followed by targeted payload delivery exploiting the code injection route. Organizations with custom integrations or outdated SAP patch levels are at highest risk.
Mitigation and Recommendations
Immediate application of SAP-provided security patches is strongly advised. Additional mitigations include limiting network exposure of SAP endpoints, applying strict API and reverse proxy filtering, and continuous behavioral monitoring for abnormal process spawning activities. It is further recommended to consult the SAP advisories and coordinate with supply chain partners to verify the integrity of interconnected applications.
Google Warns of ViewState Deserialization Attacks Due to Sample Machine Key Exposure
Google security analysts have issued a warning on novel ViewState deserialization attacks targeting legacy ASP.NET deployments. Attackers exploit a sample machine key—previously published in outdated deployment documentation—to bypass signature validation and achieve remote code execution through malicious .NET payloads.
Threat Landscape and Vulnerability
The ViewState mechanism in ASP.NET is commonly used to serialize page state between client and server, relying on cryptographic validation tied to the machine key. Recent attack campaigns leverage a widely circulated sample key from older deployment guides, allowing for creation of malicious ViewState payloads that are correctly signed according to the reused key.
Technical Exploitation Details
By constructing serialized objects containing attacker-controlled code and signing them using the known sample key, threat actors bypass ViewState’s integrity checks. Successful exploitation gives remote attackers arbitrary code execution capabilities within the ASP.NET process, with potential access to web server privileges and backend systems.
Mitigation Strategies
System administrators are advised to audit machine key configurations on legacy systems and retire any keys matching public samples or defaults. Enforcing unique, cryptographically secure keys is essential. Upgrading to newer ASP.NET frameworks with improved anti-deserialization controls and monitoring for unexpected ViewState parameter behavior can further reduce risk.
TP-Link TL-WA855RE Extender Hijacking Vulnerability Forces CISA Advisory
CISA has issued a security advisory urging users to retire the discontinued TP-Link TL-WA855RE wireless extenders due to a vulnerability allowing remote attackers to reset and hijack device management. This flaw exposes organizations and individuals to risks such as unauthorized network reconfiguration and full device takeover.
Vulnerability Description
The critical vulnerability exists in the device’s web management interface, requiring minimal interaction from the attacker. By sending specially crafted requests, an unauthenticated attacker can trigger a factory reset of the device followed by setting a new administrator password, effectively wresting control from the legitimate owner.
Attack Techniques and Impact
Exploitation may be carried out via local network access or—if the management port is exposed—over the internet. Consequences include the ability to reroute traffic, silently monitor network usage, establish rogue access points, or use the compromised extender as a pivot for further attacks within the target’s LAN.
Remediation and Device Lifecycle Guidance
As TP-Link has discontinued the affected extenders and no longer provides firmware updates, users are strongly urged to decommission or physically disconnect these devices immediately. Replacement with secure, supported hardware and proper segmentation of network infrastructure should be prioritized.
Chrome V8 JavaScript Engine Use-After-Free Vulnerability Patched
Google Chrome’s latest release includes a fix for a high-severity use-after-free vulnerability in the V8 JavaScript engine. This memory management defect could be leveraged for remote code execution in the context of the browser, placing end users at risk from compromised websites or malvertising campaigns.
Vulnerability Background
The V8 engine underpins JavaScript execution in Chrome. The patched defect stemmed from improper reference counting in the handling of specific object types, which could allow crafted JavaScript code to force access to freed memory regions.
Exploitation Mechanics
Malicious actors may deploy exploit-laden web pages or third-party scripts that trigger the faulty memory allocation logic, resulting in the browser executing attacker-supplied payloads. Such vulnerabilities are frequently used for drive-by exploitation, data theft, and the installation of further malware on targeted endpoints.
Protective Actions
Users and enterprise administrators should update Chrome immediately to the latest release. Additional mitigations include limiting exposure to untrusted content, employing sandboxing for browser processes, and leveraging advanced endpoint protection solutions designed to detect browser exploitation attempts.
Wytec Website Defaced Twice: Recovery Efforts Ongoing
Telecommunications provider Wytec has suffered two distinct website defacements within the span of a week. The ongoing incident showcases persistent targeting of small and medium business infrastructure, with the company’s site still offline as recovery efforts continue.
Incident Timeline and Attacker Tactics
Both defacement events took place despite initial recovery and restoration efforts, indicating either exploitation of an unpatched vulnerability or the presence of multiple backdoors within Wytec’s web application environment. The attackers replaced site content with custom messages and disruptive imagery.
Technical Analysis
Forensic review suggests weak access controls and a lack of timely patch management may have contributed. Possible attack vectors include public-facing CMS vulnerabilities, outdated libraries, or credential stuffing using previously compromised credentials.
Remediation Steps
Wytec is reportedly conducting a root-cause investigation, applying a full web stack audit, and coordinating with external security consultants. The incident highlights the importance of layered defensive strategies, rapid incident response, and proactive intelligence monitoring for all business sizes.