CVE-2026-0509
high-risk
Published 2026-02-10
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.
Do I need to act?
-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.6/10
Critical
NETWORK
/ LOW complexity
Affected Products (14)
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Kernel
Netweaver As Abap Krnl64Nuc
Netweaver As Abap Krnl64Nuc
Netweaver As Abap Krnl64Uc
Netweaver As Abap Krnl64Uc
Netweaver As Abap Krnl64Uc
Affected Vendors
References (2)
Permissions Required
https://me.sap.com/notes/3674774
Vendor Advisory
https://url.sap/sapsecuritypatchday
50
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
0/34 · Minimal
Exposure
18/34 · Moderate