CVE-2026-0509
Published: 10 February 2026
Summary
CVE-2026-0509 is a critical-severity Missing Authorization (CWE-862) vulnerability in Sap Netweaver As Abap Kernel. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires enforcement of approved authorizations for system resources, mitigating the missing S_RFC authorization check that allows low-privileged users to execute background Remote Function Calls.
Mandates timely identification, reporting, and correction of flaws like this authorization bypass, enabling application of the SAP patch in note 3674774 to prevent exploitation.
Employs least privilege to restrict low-privileged users from accessing unnecessary functions, reducing the potential impact of unauthorized background RFC calls even if a bypass exists.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) for background RFC execution over the network by low-privileged users directly enables exploitation of the remote SAP service for unauthorized function calls and impact.
NVD Description
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no…
more
impact on the confidentiality of the application.
Deeper analysisAI
CVE-2026-0509 is a vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform that allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. Published on 2026-02-10, this issue is mapped to CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H), reflecting high impacts on integrity and availability but no confidentiality impact.
The vulnerability can be exploited by an authenticated user with low privileges over the network, requiring low complexity and no user interaction. Successful exploitation enables the attacker to execute unauthorized Remote Function Calls in the background, potentially leading to significant integrity violations such as data manipulation and availability disruptions like denial of service, amplified by the changed scope (S:C).
SAP addresses this vulnerability in note 3674774, available at https://me.sap.com/notes/3674774, with further details provided as part of the SAP Security Patch Day at https://url.sap/sapsecuritypatchday. Security practitioners should review these advisories for patch deployment and mitigation guidance.
Details
- CWE(s)