CVE-2026-0509
9.6 CRITICALPublished 2026-02-10 · Modified 2026-02-10 · Received
Quick Summary
A critical vulnerability in SAP NetWeaver allows authenticated users with low privileges to execute unauthorized remote function calls. This bypasses critical security checks, enabling actions they should not be permitted to perform.
Who is affected
SAP NetWeaver ABAP and ABAP Platform users are affected. An attacker with a basic user account could disrupt services or alter data, severely impacting system integrity and availability.
Recommended fix
Apply the relevant SAP Security Note as per the vendor's advisory. Immediately restrict background RFC user authorizations as a critical mitigation until the patch is deployed.
Technical Description
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CWE
CWE-862