Description
Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability.
Published: 2026-02-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

An SAP Support Tools Plug‑In function module lacks an authorization check. An authenticated user can invoke the module and pull detailed system and configuration data. The vulnerability results in low‑level disclosure of system information, offering attackers intelligence to orchestrate further attacks. The weakness is an improper authorization check (CWE‑862).

Affected Systems

The flaw affects the SAP Support Tools Plug‑In offered by SAP SE. Versions impacted include 2008_1_700, 2008_1_710, 740, and 758. Any instance running these versions without the corrective update is susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, but the exploit probability is low (EPSS <1%) and it is not listed in CISA's KEV catalog. Exploitation requires an attacker to have valid SAP credentials and sufficient authorization to call the affected function modules. Once invoked, the attacker can retrieve information that could facilitate more targeted attacks. Because the vulnerability is limited to authenticated users, the risk remains moderate but should be mitigated promptly to prevent information leakage.

Generated by OpenCVE AI on April 17, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update provided in SAP Note 3680416 to SAP Support Tools Plug‑In.
  • If the update is pending deployment, restrict or disable the vulnerable function modules for users until the update is applied.
  • Monitor system logs for unauthorized calls to the function modules and review SAP integration access privileges.

Generated by OpenCVE AI on April 17, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap solution Tools Plug-in
CPEs cpe:2.3:a:sap:solution_tools_plug-in:2008_1_700:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:2008_1_710:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:solution_tools_plug-in:758:*:*:*:*:*:*:*
Vendors & Products Sap
Sap solution Tools Plug-in

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Support Tools Plug-in
Vendors & Products Sap Se
Sap Se sap Support Tools Plug-in

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description Due to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability.
Title Missing Authorization check in a function module in SAP Support Tools Plug-In
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sap Solution Tools Plug-in
Sap Se Sap Support Tools Plug-in
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T18:37:14.643Z

Reserved: 2026-01-14T18:26:17.297Z

Link: CVE-2026-23681

cve-icon Vulnrichment

Updated: 2026-02-10T18:37:10.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:02.520

Modified: 2026-02-17T16:04:47.287

Link: CVE-2026-23681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses