Description
Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Published: 2026-03-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service during resource exhaustion
Action: Apply Patch
AI Analysis

Impact

An authenticated attacker with regular user rights and network access can repeatedly call a remote-enabled function module in SAP Supply Chain Management, supplying an excessively large loop-control parameter that forces the function to execute a long loop and consume excessive CPU and memory resources. The attack does not affect confidentiality or integrity, but it can render the application or the host machine unavailable until the system recovers or is restarted.

Affected Systems

SAP Supply Chain Management products disclosed under SAP_SE. No specific version details are provided, so any instance of the application that implements the vulnerable function module and is reachable over the network may be impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.7, classifying it as high severity, yet the EPSS score is less than 1%, indicating a very low probability of exploitation in the wild. The attack requires network connectivity to the SAP application and valid user credentials but does not require elevated privileges. Because the exploit path is a remote function call with a controllable parameter, it is inferred that the attack vector is remote over the network. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 16, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or update to SAP Supply Chain Management as recommended in SAP Note 3719502.
  • Restrict or disable remote access to the affected function module and enforce input validation to reject large loop-control values.
  • Implement system resource limits or a watchdog that detects unusually long-running processes and terminates them to mitigate the impact of an attempted exploitation.

Generated by OpenCVE AI on April 16, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap supply Chain Management
Vendors & Products Sap
Sap supply Chain Management

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.
Title Denial of service (DOS) in SAP Supply Chain Management
Weaknesses CWE-606
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Sap Supply Chain Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:52:30.031Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27689

cve-icon Vulnrichment

Updated: 2026-03-10T15:35:54.216Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:38:11.683

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-27689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses