Description
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
Published: 2026-01-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Code Injection leading to full system compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a code injection flaw in SAP S/4HANA’s RFC‑exposed function module. An attacker who has administrative privileges can inject arbitrary ABAP code or operating‑system commands, bypassing the system’s authorization checks. This capability effectively creates a backdoor that allows the attacker to read, modify, or delete data, disrupt services, or otherwise take full control of the system.

Affected Systems

SAP S/4HANA (Private Cloud and On‑Premise) versions 10.2 through 10.9 are impacted, as evidenced by the associated CPE identifiers. The flaw exists in the function module that is made available via RFC calls in these releases.

Risk and Exploitability

The flaw carries a CVSS v3.1 score of 9.1, indicating critical severity. The EPSS score is reported as less than 1 %, implying a low probability that the vulnerability will be exploited in the wild, and it is not currently listed in the CISA KEV catalog. Attackers must possess administrative rights and must invoke the vulnerable RFC function module. Once the payload is delivered, the attacker can execute arbitrary code with the system’s privileges, potentially resulting in a full compromise of confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 18, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3694242 to update the vulnerable RFC function module
  • If a patch is not yet available, restrict or remove administrative privileges from users that can invoke the exposed RFC function and consider disabling the function module entirely
  • Deploy monitoring to detect anomalous RFC activity, focusing on calls to the affected function module, and establish alerting for any unexpected command execution

Generated by OpenCVE AI on April 18, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Sap s\/4 Hana
CPEs cpe:2.3:a:sap:s\/4_hana:102:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:103:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:104:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:105:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:106:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:107:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:108:*:*:*:*:*:*:*
cpe:2.3:a:sap:s\/4_hana:109:*:*:*:*:*:*:*
Vendors & Products Sap s\/4 Hana

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap s/4hana
Vendors & Products Sap
Sap s/4hana

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
Title Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Sap S/4hana S\/4 Hana
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-26T15:04:49.230Z

Reserved: 2025-12-09T22:06:39.790Z

Link: CVE-2026-0498

cve-icon Vulnrichment

Updated: 2026-01-13T15:10:58.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T02:15:52.300

Modified: 2026-01-22T18:44:20.380

Link: CVE-2026-0498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses