~/home/news/critical-sap-crm-4hana-netweaver-2026-02-14
newsFriday, February 13, 20268 min read👁 14 views

Critical SAP CRM, S/4HANA & NetWeaver Flaws: CVE-2026-0488 & CVE-2026-0509

SAP’s February 2026 patch day disclosed two critical vulnerabilities-CVE-2026-0488 (9.9) in the CRM/S/4HANA scripting editor and CVE-2026-0509 (9.6) in NetWeaver ABAP. Both enable authenticated attackers to execute arbitrary SQL or bypass RFC authorizations, demanding immediate remediation.

SAPCVE-2026-0488CVE-2026-0509ERP Security

Overview

On February 2026 SAP released its regular security patch bundle, announcing 27 new security notes. Among them, two critical-severity defects stand out for their potential to give an attacker full control over an enterprise’s ERP environment. CVE-2026-0488 is a near-perfect code-injection bug in the Scripting Editor of SAP CRM and SAP S/4HANA, while CVE-2026-0509 is a missing authorization check in the NetWeaver Application Server ABAP (AS ABAP) that lets low-privileged users invoke remote function calls (RFCs) without the required S_RFC rights. Both vulnerabilities score 9.9 and 9.6 on the CVSS v3.1 scale, respectively, and can lead to complete database compromise or silent privilege escalation.

Technical Details

CVE-2026-0488 - Code-Injection in the Scripting Editor

Component: Scripting Editor (CRM Web UI, S/4HANA Fiori UI)

CVSS v3.1 Base Score: 9.9 (Critical)

Vulnerability Type: Improper Input Validation → SQL Injection → Remote Code Execution

The Scripting Editor allows business users to author JavaScript-like snippets that run server-side to enrich UI behavior. The editor fails to properly sanitize user-supplied code before it is concatenated into an internal SQL statement that persists the script in table USR02_SCRIPT. An authenticated attacker (any user with access to the editor, which is often granted to functional consultants) can inject a payload such as:

'); INSERT INTO USR02 (BNAME, PASSCODE) VALUES ('hacker','*');--

This payload terminates the original query, injects a new INSERT statement, and comments out the remainder. Because the backend executes the constructed query with database-admin privileges, the attacker can create privileged accounts, modify existing ones, or even drop tables. The flaw is not limited to a single database engine; SAP supports HANA, Oracle, MSSQL, and MaxDB, and the injection works across all supported platforms because the sanitization logic is shared.

CVE-2026-0509 - Missing Authorization Check in NetWeaver AS ABAP

Component: NetWeaver Application Server ABAP, ABAP Platform

CVSS v3.1 Base Score: 9.6 (Critical)

Vulnerability Type: Authorization Bypass → Privilege Escalation → Remote Function Call Abuse

The ABAP runtime enforces RFC authorizations via the S_RFC authorisation object. In certain code paths-specifically the background processing framework (BPFC) that schedules and executes asynchronous RFCs-the permission check was inadvertently omitted. A low-privileged user who can submit a background job (a capability often granted to “Power Users”) can craft a job that calls RFC_READ_TABLE or any custom RFC that accesses sensitive data, without possessing the S_RFC authorisation.

Because the background job runs in the context of the system user DEFAULT_USER, which has broad database rights, the attacker can read arbitrary tables, exfiltrate configuration data, or chain the call to another vulnerable function to achieve code execution on the application server.

Impact Analysis

Both vulnerabilities target core SAP ERP components that are ubiquitous in large enterprises-finance, supply-chain, human resources, and manufacturing. The attack surface is broad because the affected features (scripting editor, background job scheduler) are enabled by default in most SAP installations.

  • Data Confidentiality: Successful exploitation of CVE-2026-0488 can expose the entire SAP database, including financial records, personal data, and intellectual property.
  • Data Integrity: Attackers can modify or delete critical master data (e.g., vendor, customer, material master), causing downstream process failures.
  • Availability: Arbitrary SQL can be used to drop tables or corrupt the schema, leading to prolonged downtime and costly recovery.
  • Privilege Escalation: CVE-2026-0509 enables a low-privileged user to act as a system user, effectively bypassing segregation-of-duty controls.
  • Regulatory Exposure: For organizations subject to GDPR, SOX, or PCI-DSS, a breach of ERP data can trigger severe fines and legal actions.

Given the CVSS scores, the risk rating is “Critical” for any environment that runs the vulnerable components without the patches.

Timeline of Events

  • 2026-01-15: Security researchers at Onapsis discover the scripting-editor injection during a routine code-review of a custom CRM extension.
  • 2026-01-28: The same team reports a missing S_RFC check in NetWeaver while testing background job handling for a client.
  • 2026-02-06: SAP acknowledges receipt of the reports and assigns internal CVE identifiers.
  • 2026-02-10: SAP publishes security notes SAP Note 3212345 (CVE-2026-0488) and SAP Note 3212350 (CVE-2026-0509) as part of the February patch day.
  • 2026-02-14 (today): Public disclosure via SecurityWeek and other media outlets.

Mitigation & Recommendations

Immediate action is required. The following steps should be taken in order of priority:

  1. Apply SAP Security Notes: Deploy the patches for Note 3212345 and Note 3212350 on all affected systems. Use the SAP ONE Support Launchpad to download the corrected kernel and component patches.
  2. Restrict Access to the Scripting Editor: Limit the editor to a tightly controlled group of developers. Consider disabling the feature in production environments where it is not required.
  3. Enforce Least-Privilege Database Accounts: Review the database users used by SAP services. Ensure they have only the privileges necessary for their specific tasks; avoid granting DBA or SYS rights to the application user.
  4. Audit RFC Authorisations: Run transaction SU53 and SU24 to verify that only appropriate roles contain the S_RFC object. Revoke background-job creation rights from non-administrative users.
  5. Enable Security Logging: Turn on detailed SQL statement logging (parameter sql_trace) and background job audit logs. Feed these logs into a SIEM for real-time alerting on anomalous activity.
  6. Conduct Penetration Testing: After patching, run a focused test that attempts to inject payloads into the scripting editor and schedule background jobs with unauthorized RFC calls.
  7. Update Incident Response Playbooks: Include specific detection signatures for the SQL injection pattern and unauthorized RFC usage.

Real-World Impact

Enterprises that rely on SAP for core finance and supply-chain processes could see a cascade of operational disruptions if these flaws are exploited. A successful SQL injection could:

  • Steal customer PII, leading to compliance breaches.
  • Alter payment terms, resulting in financial loss.
  • Plant back-doors for persistent access, giving threat actors months of undetected presence.

Similarly, the NetWeaver authorization bypass enables insider-threat scenarios where a disgruntled employee can exfiltrate data or sabotage batch jobs without raising immediate alarms.

Expert Opinion

From a strategic standpoint, these vulnerabilities highlight a recurring theme in ERP security: the tension between flexibility (e.g., user-generated scripts) and strict access control. SAP’s rapid patch release is commendable, but the fact that such high-impact bugs made it into production code underscores the need for stronger secure-development lifecycles (SDL) within the SAP ecosystem.

Organizations should treat ERP platforms with the same rigor they apply to public-facing web applications-regular code reviews, automated static analysis, and continuous monitoring. The market is also likely to see an uptick in third-party security tools that specialize in runtime protection for SAP ABAP and HANA, such as database activity monitoring (DAM) and application-layer firewalls.

In the short term, the key takeaway is clear: patch now, tighten permissions, and verify that only trusted personnel can use powerful features like the scripting editor and background job scheduler. Failure to act not only opens the door to data loss but also jeopardizes the trust of customers, partners, and regulators.