CVE-2025-26661

High

Published: 11 March 2025

Published

11 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 26.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26661 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires systems to enforce approved authorizations for access, directly addressing the missing authorization check in SAP NetWeaver ABAP Class Builder that enables privilege escalation.

AC-6 Least Privilege good match

prevent

AC-6 mandates least privilege, restricting users and processes to minimal necessary access levels to limit the impact of privilege escalation exploits.

AC-2 Account Management partial match

prevent

AC-2 ensures proper management of accounts, roles, and privileges, reducing the risk of low-privileged attackers exploiting the vulnerability for escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is explicitly a missing authorization check enabling an authenticated low-privileged attacker to escalate privileges in SAP NetWeaver ABAP Class Builder, directly matching T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It…

could also have a high impact on the integrity and availability of the application.

Deeper analysisAI

CVE-2025-26661 is a vulnerability in SAP NetWeaver's ABAP Class Builder caused by a missing authorization check. This flaw allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. Successful exploitation could lead to disclosure of highly sensitive information, as well as high impact on the integrity and availability of the application. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization). It was published on 2025-03-11.

The attack requires low privileges (PR:L) and can be carried out over the network (AV:N) with low attack complexity and no user interaction. An authenticated attacker with existing low-level access can exploit the missing check to escalate privileges, achieving high impacts across confidentiality (disclosure of sensitive data), integrity, and availability of the affected application.

SAP provides mitigation guidance in its advisories, including SAP Note 3563927 available at https://me.sap.com/notes/3563927 and details on the SAP Security Patch Day at https://url.sap/sapsecuritypatchday.