EUVD-2026-35278
GHSA-rvg2-xqmh-v3qw
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.
Articles & Coverage 2
AnalysisAI
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker requires network reachability to an SAP gateway or dispatcher port (default 33xx/48xx range) accepting RFC traffic on an unpatched SAP NetWeaver AS ABAP or ABAP Platform instance; per the CVSS vector (AV:N/AC:L/PR:N/UI:N) no authentication, user interaction, or non-default configuration is required, as RFC listening is the default deployment mode for AS ABAP. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to this being a genuine top-tier priority: CVSS 9.8 with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H means network-reachable, low-complexity, unauthenticated, no-interaction exploitation with high impact across all three CIA dimensions, hitting a foundational SAP component used by virtually every SAP customer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with TCP reachability to an SAP application server's gateway or dispatcher port crafts a malformed RFC protocol message that violates expected field-length or structural invariants and sends it without authentication, overflowing a stack buffer in the SAP Kernel and corrupting saved control data in the disp+work or gateway process. Depending on exploit refinement this yields either a denial of service crashing the work process or, with weaponization, arbitrary code execution under the <sid>adm OS account - granting full control over the ABAP application server and downstream access to the SAP database. … |
| Remediation | Apply the patch available per vendor advisory by installing the SAP Kernel patch referenced in SAP Note 3717897 (https://me.sap.com/notes/3717897), reviewing the SAP Security Patch Day bulletin at https://url.sap/sapsecuritypatchday for the exact kernel patch level applicable to each release line - exact fix versions were not included in the input data and must be confirmed against the SAP Note. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all SAP NetWeaver Application Server ABAP and ABAP Platform deployments, document current versions and patch levels, and identify external RFC connectivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today