CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-0488

CVSS 9.9v3.1pub. 2026-02-10upd. 2026-02-17

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

🤖 AI Analysis
How it works

The vulnerability (CWE-862 — missing authorization control) consists in the application not properly verifying user permissions when invoking a specific generic function module call. An authenticated attacker can abuse this call to execute critical operations to which they should not normally have access. As a result, arbitrary SQL queries can be executed directly on the database supporting the SAP system.

Impact

An attacker can gain full database access — read, modify, or delete any data, resulting in complete compromise of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to references — SAP Note 3697099 (https://me.sap.com/notes/3697099) published as part of the SAP Security Patch Day. Priority implementation of updates is recommended due to the critical severity level of the vulnerability.

Who is affected

SAP NetWeaver Application Server ABAP, SAP CRM (Scripting Editor), SAP S/4HANA — specific versions indicated in vendor references (SAP Note 3697099)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Sap Netweaver Application Server Abap

    APP
    Sap
    700
  • Sap S\/4hana

    APP
    Sap
    102103104105106107108109
  • Sap Webclient Ui Framework

    APP
    Sap
    700701730731746747748800801
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2022-22536CRITICAL10.0⚠ KEVten sam produkt

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Serve...

CVE-2023-40309CRITICAL9.8ten sam produkt

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong aut...

CVE-2023-27269CRITICAL9.6ten sam produkt

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752,...

CVE-2023-27500CRITICAL9.6ten sam produkt

An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO ...

CVE-2023-0014CRITICAL9.0ten sam produkt

SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, ...