{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0509", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:48.421Z", "datePublished": "2026-02-10T03:01:52.913Z", "dateUpdated": "2026-02-10T16:27:08.976Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP NetWeaver Application Server ABAP and ABAP Platform", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "KRNL64NUC 7.22"}, {"status": "affected", "version": "7.22EXT"}, {"status": "affected", "version": "KRNL64UC 7.22"}, {"status": "affected", "version": "7.53"}, {"status": "affected", "version": "KERNEL 7.22"}, {"status": "affected", "version": "7.54"}, {"status": "affected", "version": "7.77"}, {"status": "affected", "version": "7.89"}, {"status": "affected", "version": "7.93"}, {"status": "affected", "version": "9.16"}, {"status": "affected", "version": "9.18"}, {"status": "affected", "version": "9.19"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.</p>"}], "value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:52.913Z"}, "references": [{"url": "https://me.sap.com/notes/3674774"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:26:52.577763Z", "id": "CVE-2026-0509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:27:08.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:26:52.577763Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:27:05.327Z"}}], "cna": {"title": "Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP NetWeaver Application Server ABAP and ABAP Platform", "versions": [{"status": "affected", "version": "KRNL64NUC 7.22"}, {"status": "affected", "version": "7.22EXT"}, {"status": "affected", "version": "KRNL64UC 7.22"}, {"status": "affected", "version": "7.53"}, {"status": "affected", "version": "KERNEL 7.22"}, {"status": "affected", "version": "7.54"}, {"status": "affected", "version": "7.77"}, {"status": "affected", "version": "7.89"}, {"status": "affected", "version": "7.93"}, {"status": "affected", "version": "9.16"}, {"status": "affected", "version": "9.18"}, {"status": "affected", "version": "9.19"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3674774"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:52.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0509", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:27:08.976Z", "dateReserved": "2025-12-09T22:06:48.421Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:01:52.913Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.22:*:*:*:*:*:*:*", "matchCriteriaId": "FE603A80-8FF0-4180-9E11-C468AE2441C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.53:*:*:*:*:*:*:*", "matchCriteriaId": "7EB97250-22A3-4BA6-8498-59ED0E81E3CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.54:*:*:*:*:*:*:*", "matchCriteriaId": "7F5D31D3-B2B2-4347-B8DF-D06056289598", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.77:*:*:*:*:*:*:*", "matchCriteriaId": "50570852-982E-40CA-B391-3FB8B9373F78", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.89:*:*:*:*:*:*:*", "matchCriteriaId": "B8B74AD9-A83E-45DD-96C2-4F3C8C8C6AE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:7.93:*:*:*:*:*:*:*", "matchCriteriaId": "237DBA4A-B5A9-48C9-B6A3-D293BB66EF69", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.16:*:*:*:*:*:*:*", "matchCriteriaId": "3668B2D9-0A4C-43F5-B248-9A6438AF7D71", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.18:*:*:*:*:*:*:*", "matchCriteriaId": "1BC9779B-7571-44F7-BCCC-6BF2834ED779", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_kernel:9.19:*:*:*:*:*:*:*", "matchCriteriaId": "D243C94B-F182-48A0-9775-4B193B913B8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22:*:*:*:*:*:*:*", "matchCriteriaId": "02507EB2-8776-4EA9-9164-B2F6AD911B59", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64nuc:7.22ext:*:*:*:*:*:*:*", "matchCriteriaId": "7867ADA5-47AA-48DD-9CAC-D3ACB5713CB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22:*:*:*:*:*:*:*", "matchCriteriaId": "B5E3292A-7311-4821-A52E-8FB4A1449D44", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.22ext:*:*:*:*:*:*:*", "matchCriteriaId": "171A52A4-8383-47D9-89D4-FC44CA84DA49", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_as_abap_krnl64uc:7.53:*:*:*:*:*:*:*", "matchCriteriaId": "B1190FF1-8D50-4424-AE21-6AE562D5C6B1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application."}, {"lang": "es", "value": "SAP NetWeaver Servidor de Aplicaciones ABAP y Plataforma ABAP permite a un usuario autenticado y con bajos privilegios realizar llamadas a funciones remotas en segundo plano sin la autorizaci\u00f3n S_RFC requerida en ciertos casos. Esto puede resultar en un alto impacto en la integridad y disponibilidad, y ning\u00fan impacto en la confidencialidad de la aplicaci\u00f3n."}], "id": "CVE-2026-0509", "lastModified": "2026-02-17T16:04:59.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:02.357", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3674774"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "KRNL64NUC 7.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.22EXT"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "KRNL64UC 7.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.53"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "KERNEL 7.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.54"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.77"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.89"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.93"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "9.19"}}], "product": "sap_netweaver_application_server_abap_and_abap_platform", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T21:00:17.887392+00:00", "value": {"mitigation_remediation": ["Apply SAP security patch noted in SAP Note\u202f3674774 to update the affected ABAP kernel components.", "Restrict or remove the S_RFC authorisation from low\u2011privileged roles, ensuring only authorised users can trigger background RFCs.", "Enable comprehensive logging of RFC activity and regularly review audit trails for anomalies."], "summary": {"action": "Patch Now", "impact": "Remote Function Call Authorization Bypass leading to Integrity and Availability compromise"}, "threat_synthesis": {"affected_systems": "SAP NetWeaver Application Server ABAP and ABAP Platform\u2014specifically kernel versions 7.22, 7.53, 7.54, 7.77, 7.89, 7.93 and 9.16, 9.18, 9.19, along with corresponding 64\u2011bit non\u2011Nuclear and 64\u2011bit NUC variations\u2014are affected.", "description_and_impact": "Allows an authenticated, low\u2011privileged user to invoke background remote function calls in SAP NetWeaver Application Server ABAP against the S_RFC authorization boundary. This flaw enables the attacker to modify application data and disrupt service, constituting a high\u2011impact breach of integrity and availability while preserving confidentiality.", "risk_and_exploitability": "Given the CVSS base score of 9.6, the exploit is evaluated as highly impactful; the EPSS score of less than 1\u202f% suggests a very low probability of exploitation at this time, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector involves an authenticated session via SAP user credentials, with the attacker leveraging low\u2011privilege accounts to execute unauthorized background RFCs. The lack of confidentiality impact indicates the flaw primarily harms integrity and availability of the hosted application."}}}}, "created": "2026-02-10T11:34:43.344239+00:00", "updated": "2026-04-17T21:15:27.370612+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_netweaver_application_server_abap_and_abap_platform"]}