CVE-2022-41264

HIGH

SAP BASIS 731, 740, 750-757, 789-791 - Authenticated Remote Code Execution via RFC Function Module

Title source: llm

Description

Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.

References (2)

Core 2

Core References

Permissions Required, Vendor Advisory

https://launchpad.support.sap.com/#/notes/3268172

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 8.8

EPSS 0.0085

EPSS Percentile 75.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (13)

sap/basis 7.31

sap/basis 7.40

sap/basis 7.50

sap/basis 7.51

sap/basis 7.52

sap/basis 7.53

sap/basis 7.54

sap/basis 7.55

sap/basis 7.56

sap/basis 7.57

... and 3 more

Published Dec 13, 2022

Tracked Since Feb 18, 2026