CVE-2025-26661:A missing authorization check in SAP NetWeaver (ABAP Class Builder) enables privilege escalation, allowing an attacker to gain higher access levels and potentially disclose highly sensitive information, with a high impact on integrity and availability. The issue affects multiple SAP_BASIS versions and is classified with a high severity.

splash
Back

Description Preview

CVE-2025-26661 describes a missing authorization check in SAP NetWeaver (ABAP Class Builder) that allows an attacker to escalate privileges beyond their granted level. On successful exploitation, this could lead to disclosure of highly sensitive information and a significant impact on the integrity and availability of the application. The vulnerability is rated CVSS v3.1 base score 8.8 (HIGH) with network access, low attack complexity, no user interaction, and the attacker requires only LOW privileges. It affects SAP_BASIS versions including 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, and 914. The root cause is missing authorization verification within the ABAP Class Builder component.

Overview

This vulnerability arises from missing authorization checks in SAP NetWeaver (ABAP Class Builder), enabling a remote attacker to perform privilege escalation to higher access levels than permitted. If exploited, it could result in the disclosure of highly sensitive information and have a significant impact on the integrity and availability of the SAP NetWeaver environment. Theffected versions span a broad set of SAP_BASIS releases, indicating an overall risk for enterprises relying on these components. The CVSS score reflects high severity due to the potential for full-impact compromises without user interaction.

Remediation

  • Apply SAP security patches and advisories related to this issue, specifically SAP Note 3563927 and any accompanying SAP Security Patch Day updates.
  • Upgrade SAP_BASIS to a patched version as recommended by SAP (per the security advisory) to remediate the missing authorization checks.
  • Implement least-privilege access controls around SAP NetWeaver ABAP Class Builder: review and restrict roles and authorizations to only those required for legitimate work.
  • Enable and review security audit logs and change controls to detect privilege escalations and unauthorized access attempts.
  • Harden network exposure: restrict access to SAP NetWeaver components hosting ABAP Class Builder, enforce network segmentation, and apply firewall/network ACLs to limit reachability.
  • Validate the fix post-patch with SAP’s guidance, including regression testing to ensure authorization checks are correctly enforced.
  • If immediate patching is not possible, implement compensating controls such as disabling or limiting access to the ABAP Class Builder in production, and perform heightened monitoring of privileged activities until patching can be completed.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background