#VU105493 Missing Authorization in SAP NetWeaver AS ABAP - CVE-2025-26661

Cybersecurity Help s.r.o.

Published: 2025-03-11

Vulnerability identifier: #VU105493

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-26661

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP NetWeaver AS ABAP
Server applications / Application servers

Vendor: SAP

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to missing authorization checks within the ABAP Class Builder component. A remote authenticated user can bypass authorization and escalate privileges within the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP NetWeaver AS ABAP: 700 - 914

External links
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2025.html
https://me.sap.com/notes/3563927

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP NetWeaver AS ABAP