CVE-2026-0509
CRITICALSAP NetWeaver Application Server ABAP/ABAP Platform - Privilege Esc...
Title source: llmDescription
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3674774
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
9.6
EPSS
0.0002
EPSS Percentile
5.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (14)
sap/netweaver_as_abap_kernel
7.22
sap/netweaver_as_abap_kernel
7.53
sap/netweaver_as_abap_kernel
7.54
sap/netweaver_as_abap_kernel
7.77
sap/netweaver_as_abap_kernel
7.89
sap/netweaver_as_abap_kernel
7.93
sap/netweaver_as_abap_kernel
9.16
sap/netweaver_as_abap_kernel
9.18
sap/netweaver_as_abap_kernel
9.19
sap/netweaver_as_abap_krnl64nuc
7.22
... and 4 more
Published
Feb 10, 2026
Tracked Since
Feb 18, 2026