CVE-2026-23687

High

Published: 10 February 2026

Published

10 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23687 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Sap Sap Basis. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match

preventdetect

Mandates cryptographic mechanisms to prevent unauthorized modification of information and detect such changes, directly addressing improper verification of cryptographic signatures in XML documents.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Requires integrity verification of information using cryptographic methods like signatures to detect unauthorized changes, mitigating acceptance of tampered signed XML messages.

CM-14 Signed Components good match

prevent

Enforces digital signing and verification of information prior to use, preventing exploitation of flaws in cryptographic signature verification for XML documents.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1606 Forge Web Credentials Credential Access

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of SAP via signature bypass on identity-bearing XML, directly mapping to public app exploitation and forging of signed credentials/tokens.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized…

access to sensitive user data and potential disruption of normal system usage.

Deeper analysisAI

CVE-2026-23687 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting SAP NetWeaver Application Server ABAP and ABAP Platform, classified under CWE-347 (Improper Verification of Cryptographic Signature). Published on 2026-02-10, it enables an authenticated attacker with normal privileges to obtain a valid signed message and then send modified signed XML documents to the verifier. This flaw can lead to the acceptance of tampered identity information.

An attacker requires low privileges and network access to exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows the acceptance of falsified identity data, resulting in unauthorized access to sensitive user information and potential disruption of normal system operations through high impacts on confidentiality, integrity, and availability.

SAP has addressed this issue through security note 3697567, available at https://me.sap.com/notes/3697567, as part of their SAP Security Patch Day documented at https://url.sap/sapsecuritypatchday. Security practitioners should review these advisories for patch deployment and mitigation guidance.