Description
Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.
Published: 2026-02-10
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch Locally
AI Analysis

Impact

A deserialization flaw in the SAP NetWeaver JMS service allows an attacker who is an authenticated administrator with local access to submit maliciously crafted content. When processed by the application, this content can trigger unintended internal logic, causing a denial of service. The weakness is classified as CWE‑502 insecure deserialization and does not affect confidentiality or integrity.

Affected Systems

SAP NetWeaver 7.50 JMS service, administered by SAP SE. The vulnerability applies to any instance of this product running the JMS component.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate severity, while the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, implying a low probability of widespread exploitation. The attack requires local administrative access, so it is not remotely exploitable. An adversary who meets this prerequisite can execute a simple message injection that would disrupt service availability, potentially affecting all users of the affected system.

Generated by OpenCVE AI on April 18, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security patch referenced in SAP Note 3687285 to correct the deserialization flaw.
  • Limit the exposure of the JMS service to trusted networks and enforce strong authentication for local administrators.
  • Implement monitoring for sudden message spikes or resource exhaustion on the JMS service to detect attempted exploitation.

Generated by OpenCVE AI on April 18, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap netweaver
CPEs cpe:2.3:a:sap:netweaver:7.50:*:*:*:java_as:*:*:*
Vendors & Products Sap
Sap netweaver

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Netweaver (jms Service)
Vendors & Products Sap Se
Sap Se sap Netweaver (jms Service)

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.
Title Insecure Deserialization vulnerability in SAP NetWeaver (JMS service)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Sap Netweaver
Sap Se Sap Netweaver (jms Service)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T17:19:28.762Z

Reserved: 2026-01-14T18:26:17.297Z

Link: CVE-2026-23685

cve-icon Vulnrichment

Updated: 2026-02-10T17:19:25.418Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:02.850

Modified: 2026-02-17T16:04:13.617

Link: CVE-2026-23685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses