CVE-2026-24322

High

Published: 10 February 2026

Published

10 February 2026

Modified

17 February 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0004 13.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24322 is a high-severity Missing Authorization (CWE-862) vulnerability in Sap Solution Tools Plug-In. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to information and resources, directly mitigating the missing authorization checks in the ST-PI function module that enable sensitive data disclosure.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege restrictions, reducing the potential impact by limiting low-privileged users' access to sensitive information exploitable via the vulnerable function module.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, such as applying the SAP patch from Note 3705882 to remediate the missing authorization vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Missing authorization checks (CWE-862) in a network-accessible SAP component directly enable remote exploitation by low-privileged users to obtain sensitive data, matching the definition of T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or…

availability.

Deeper analysisAI

CVE-2026-24322 affects the SAP Solution Tools Plug-In (ST-PI), where a function module fails to perform necessary authorization checks for authenticated users, enabling the disclosure of sensitive information. Published on 2026-02-10, this vulnerability is classified under CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high impact on confidentiality with no effects on integrity or availability.

Low-privileged authenticated users can exploit this vulnerability remotely over the network with low complexity and no user interaction required. The scoped attack vector allows successful exploitation to result in high confidentiality impact, potentially exposing sensitive data accessible via the affected function module.

SAP advisories, including Note 3705882 available at https://me.sap.com/notes/3705882 and details from the SAP Security Patch Day at https://url.sap/sapsecuritypatchday, provide guidance on mitigation, such as applying relevant patches to address the missing authorization checks.