Cyber Resilience

CVE-2026-27689

High

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0010 26.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27689 is a high-severity Unchecked Input for Loop Condition (CWE-606) vulnerability in Sap (inferred from references). Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27689, published on 2026-03-10, is an uncontrolled resource consumption vulnerability (CWE-606) that enables a denial-of-service condition in a remote-enabled function module within SAP software. By supplying an excessively large loop-control parameter, the module executes a prolonged loop, consuming excessive system resources and potentially rendering the system unavailable. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H), indicating network accessibility, low attack complexity, and high availability impact with low privileges required.

An authenticated attacker possessing regular user privileges and network access can exploit the vulnerability by repeatedly invoking the affected remote-enabled function module with an oversized loop-control parameter. This triggers resource exhaustion through extended loop execution, leading to a denial-of-service state that disrupts system availability. Confidentiality and integrity are not impacted.

Mitigation details are provided in SAP Note 3719502 (https://me.sap.com/notes/3719502) and on the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday).

EU & UK References

Vulnerability details

Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes…

more

excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is an authenticated remote resource exhaustion flaw in a SAP remote-enabled function module that directly enables an adversary to trigger prolonged loop execution and cause endpoint unavailability; this maps exactly to T1499.004 (Application or System Exploitation) under the Endpoint Denial of Service tactic.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23689Shared CWE-606
CVE-2026-1519Shared CWE-606

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the specific software flaw in the remote-enabled function module that allows uncontrolled resource consumption.

prevent

Validates the loop-control input parameter to prevent excessively large values that trigger prolonged loop execution and resource exhaustion.

prevent

Implements denial-of-service protections specifically against resource consumption attacks like repeated invocation of the vulnerable function with oversized parameters.

References