CVE-2026-0498
CRITICALSAP S/4HANA - Authenticated ABAP Code and OS Command Injection via RFC Function Module
Title source: llmDescription
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3694242
Patch, Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
9.1
EPSS
0.0009
EPSS Percentile
24.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (8)
sap/s\/4_hana
102
sap/s\/4_hana
103
sap/s\/4_hana
104
sap/s\/4_hana
105
sap/s\/4_hana
106
sap/s\/4_hana
107
sap/s\/4_hana
108
sap/s\/4_hana
109
Published
Jan 13, 2026
Tracked Since
Feb 18, 2026