Cyber Resilience

CVE-2025-26661

High

Published: 11 March 2025

Published
11 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 26.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26661 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-26661 is a vulnerability in SAP NetWeaver's ABAP Class Builder caused by a missing authorization check. This flaw allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. Successful exploitation could lead to disclosure of highly sensitive information, as well as high impact on the integrity and availability of the application. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization). It was published on 2025-03-11.

The attack requires low privileges (PR:L) and can be carried out over the network (AV:N) with low attack complexity and no user interaction. An authenticated attacker with existing low-level access can exploit the missing check to escalate privileges, achieving high impacts across confidentiality (disclosure of sensitive data), integrity, and availability of the affected application.

SAP provides mitigation guidance in its advisories, including SAP Note 3563927 available at https://me.sap.com/notes/3563927 and details on the SAP Security Patch Day at https://url.sap/sapsecuritypatchday.

EU & UK References

Vulnerability details

Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It…

more

could also have a high impact on the integrity and availability of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly a missing authorization check enabling an authenticated low-privileged attacker to escalate privileges in SAP NetWeaver ABAP Class Builder, directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access, directly addressing the missing authorization check in SAP NetWeaver ABAP Class Builder that enables privilege escalation.

prevent

AC-6 mandates least privilege, restricting users and processes to minimal necessary access levels to limit the impact of privilege escalation exploits.

prevent

AC-2 ensures proper management of accounts, roles, and privileges, reducing the risk of low-privileged attackers exploiting the vulnerability for escalation.

References