CVE-2026-0509

Summary

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKRNL64NUC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.22EXTaffected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKRNL64UC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.53affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP PlatformKERNEL 7.22affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.54affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.77affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.89affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform7.93affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform9.16affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform9.18affected
SAP_SESAP NetWeaver Application Server ABAP and ABAP Platform9.19affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References