Cyber Resilience

CVE-2026-27685

CriticalRCE

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0055 41.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27685 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

SAP NetWeaver Enterprise Portal Administration contains a deserialization vulnerability (CWE-502) that affects systems where a privileged user can upload untrusted or malicious content. Upon deserialization of this content, an attacker could achieve a high impact on the confidentiality, integrity, and availability of the host system. The vulnerability, tracked as CVE-2026-27685, was published on 2026-03-10 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity.

Exploitation requires an attacker to possess privileged user access (PR:H) to the Enterprise Portal Administration interface over the network (AV:N). By uploading specially crafted malicious content, the attacker can trigger unsafe deserialization, leading to scope expansion (S:C) and full compromise of the host system, including high-impact unauthorized disclosure, modification, and disruption of data and services.

SAP advisories provide mitigation details in Note 3714585 (https://me.sap.com/notes/3714585) and as part of the SAP Security Patch Day (https://url.sap/sapsecuritypatchday), recommending application of available patches to address the deserialization flaw and prevent privileged user exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization of attacker-controlled content uploaded via the privileged admin interface (AV:N, PR:H) directly enables RCE and scope change to full host compromise, mapping to exploitation of a network-accessible application (T1190) for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53560Shared CWE-502
CVE-2026-22346Shared CWE-502
CVE-2025-33243Shared CWE-502
CVE-2026-33858Shared CWE-502
CVE-2024-28777Shared CWE-502
CVE-2026-27338Shared CWE-502
CVE-2026-24978Shared CWE-502
CVE-2026-25360Shared CWE-502
CVE-2025-54007Shared CWE-502
CVE-2026-24954Shared CWE-502

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability (CWE-502) by requiring timely remediation through application of SAP patches as specified in Note 3714585.

prevent

Validates and sanitizes uploaded content in the Enterprise Portal Administration interface to block malicious deserialization payloads.

prevent

Limits privileged user access (PR:H requirement) to the vulnerable administration interface, reducing the attack surface for exploitation.

References