Cyber Resilience

CVE-2026-0498

CriticalRCE

Published: 13 January 2026

Published
13 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0041 32.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0498 is a critical-severity Code Injection (CWE-94) vulnerability in Sap S\/4 Hana. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0498 is a critical vulnerability in SAP S/4HANA Private Cloud and On-Premise editions, affecting a function module exposed via RFC. Published on January 13, 2026, it allows an attacker with admin privileges to inject arbitrary ABAP code or OS commands, bypassing essential authorization checks. Classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), the flaw acts as a backdoor, potentially leading to complete system compromise and undermining confidentiality, integrity, and availability.

An attacker requires high-privilege admin access to exploit this vulnerability over the network with low complexity and no user interaction. By targeting the exposed RFC function module, they can execute arbitrary ABAP code or OS commands, evading standard authorization mechanisms. Successful exploitation grants full control over the SAP system, enabling data exfiltration, modification, or disruption across the affected environment.

SAP advisories address this issue via security note 3694242, available at https://me.sap.com/notes/3694242, and as part of the SAP Security Patch Day at https://url.sap/sapsecuritypatchday. Administrators should apply the recommended patches to mitigate the risk of exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks.…

more

This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE enables arbitrary ABAP/OS command injection via exposed RFC (remote code execution) with bypassed auth checks, directly mapping to command/scripting interpreter execution and exploitation of remote services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0500Same vendor: Sap
CVE-2026-21537Shared CWE-94
CVE-2024-54448Shared CWE-94
CVE-2026-0509Same vendor: Sap
CVE-2026-0508Same vendor: Sap
CVE-2026-23689Same vendor: Sap
CVE-2024-49747Shared CWE-94
CVE-2025-70364Shared CWE-94
CVE-2026-23687Same vendor: Sap
CVE-2026-0490Same vendor: Sap

Affected Assets

sap
s\/4 hana
102, 103, 104, 105, 106

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the code injection vulnerability by requiring timely application of vendor patches like SAP security note 3694242 to fix the flawed RFC function module.

prevent

Prevents arbitrary ABAP code or OS command injection by enforcing validation of inputs to the exposed RFC function module.

prevent

Enforces authorization checks that the vulnerability bypasses, limiting exploitation even by admin-privileged attackers.

References