CVE-2026-0488
9.9 CRITICALPublished 2026-02-10 · Modified 2026-02-10 · Received
Quick Summary
A critical vulnerability in SAP CRM and S/4HANA allows an authenticated attacker to run any SQL command they want. This is a severe flaw because it gives an attacker complete control over the database.
Who is affected
Organizations using affected SAP CRM or S/4HANA systems are at risk. An attacker with a valid login could steal, modify, or delete all data in the database.
Recommended fix
Apply the relevant SAP Security Note immediately. Consult SAP Note 3456789 for the specific patches and ensure no unprotected systems are exposed to the network.
Technical Description
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-862