Home

Description

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

PUBLISHED Reserved 2025-01-13 | Published 2025-04-08 | Updated 2026-02-26 | Assigner sap




HIGH: 8.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

KRNL64NUC 7.22
affected

7.22EXT
affected

KRNL64UC 7.22
affected

7.53
affected

KERNEL 7.22
affected

7.54
affected

7.77
affected

7.89
affected

7.93
affected

References

me.sap.com/notes/3554667

url.sap/sapsecuritypatchday

cve.org (CVE-2025-23186)

nvd.nist.gov (CVE-2025-23186)

Download JSON