Description
Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper RFC protocol validation in the SAP Kernel used by Application Server ABAP allows an unauthenticated attacker to send a crafted RFC request that triggers logical errors in memory management, causing memory corruption. This vulnerability can affect the confidentiality, integrity, and availability of the application. The vulnerability does not require authentication, meaning any external user with network access could target the system.

Affected Systems

The affected product is SAP NetWeaver and ABAP Platform from SAP SE. No specific affected versions are listed in the CVE data, so any installation using the SAP Kernel that has not yet applied the official patch is likely vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a very high severity. The EPSS score is not available, but the lack of that data does not reduce the inherent risk. The vulnerability is not currently listed in the CISA KEV catalog. An unauthenticated attacker could exploit the flaw by sending a crafted RFC request, leading to memory corruption that could compromise confidentiality, integrity, and availability. No public exploits were reported, but the high CVSS and lack of mitigation elevate the risk significantly.

Generated by OpenCVE AI on June 9, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch documented in SAP Note 3717897 for SAP NetWeaver and ABAP Platform
  • Configure your infrastructure to allow RFC connections only from trusted IP addresses or hosts, and enforce firewall rules to block unauthorized RFC traffic
  • Monitor RFC traffic for abnormal requests and patterns of memory usage that may indicate exploitation attempts

Generated by OpenCVE AI on June 9, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Netweaver And Abap Platform
Vendors & Products Sap Se
Sap Se sap Netweaver And Abap Platform

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.
Title Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sap Se Sap Netweaver And Abap Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-09T13:03:56.011Z

Reserved: 2026-02-23T17:50:10.512Z

Link: CVE-2026-27671

cve-icon Vulnrichment

Updated: 2026-06-09T13:03:49.452Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:45.903

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-27671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T03:00:14Z

Weaknesses