Plattform
sap
Komponente
sap-s-4hana
Behoben in
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
109.0.1
CVE-2026-0498 is a critical Remote Code Execution (RCE) vulnerability affecting SAP S/4HANA versions 102. An attacker with administrative privileges can exploit a flaw in a function module exposed via Remote Function Call (RFC) to inject arbitrary ABAP code or operating system commands. This effectively creates a backdoor, potentially leading to complete system compromise and impacting the confidentiality, integrity, and availability of the SAP S/4HANA instance.
The impact of CVE-2026-0498 is severe. Successful exploitation allows an attacker to execute arbitrary code on the SAP S/4HANA server with administrative privileges. This grants them complete control over the system, enabling them to steal sensitive data (customer information, financial records, intellectual property), modify data, disrupt operations, and potentially pivot to other systems within the network. The RFC-based injection bypasses standard authorization checks, making exploitation relatively straightforward for attackers with sufficient access. This vulnerability shares similarities with other RFC injection flaws, where improper input validation allows attackers to execute malicious code within the SAP environment.
CVE-2026-0498 was publicly disclosed on 2026-01-13. Its CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread attacks. The vulnerability is currently listed on CISA KEV, further highlighting its importance. Active exploitation campaigns are possible, particularly targeting organizations running vulnerable SAP S/4HANA instances.
Organizations running SAP S/4HANA version 102, particularly those with extensive use of RFC connections and limited network segmentation, are at significant risk. Shared hosting environments utilizing SAP S/4HANA are also vulnerable, as a compromise of one tenant could potentially impact others. Legacy SAP S/4HANA configurations with weak access controls are especially susceptible.
• linux / server:
journalctl -u saprouter | grep -i "rfc injection"• generic web:
curl -I <rfc_endpoint_url>• database (mysql):
SELECT * FROM sap.rfc_connections WHERE connection_string LIKE '%vulnerable_function_module%';disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0498 is to upgrade to a patched version of SAP S/4HANA. SAP has not yet released a fixed version as of the publication date. Until a patch is available, consider implementing temporary workarounds. Restrict access to the vulnerable RFC function module, limiting which users and systems can access it. Implement strict input validation on all data passed to the function module to prevent malicious code injection. Monitor RFC connections for suspicious activity and unusual command executions. Consider using a Web Application Firewall (WAF) to filter malicious requests targeting the RFC endpoint. After upgrading, confirm the vulnerability is resolved by attempting to trigger the injection scenario with a benign payload and verifying that it is blocked.
Wenden Sie die von SAP bereitgestellten Sicherheitsupdates an, um die Code-Injection-Schwachstelle zu beheben. Weitere Informationen zur Aktualisierung und Installationsanweisungen finden Sie in der SAP-Notiz 3694242. Es wird empfohlen, die Aktualisierung vor der Anwendung in einer Produktionsumgebung in einer Testumgebung gründlich zu testen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0498 is a critical Remote Code Execution vulnerability in SAP S/4HANA 102, allowing attackers to inject code via RFC, potentially leading to full system compromise.
If you are running SAP S/4HANA version 102, you are potentially affected. Check your SAP S/4HANA version and apply the recommended mitigation steps.
The primary fix is to upgrade to a patched version of SAP S/4HANA. Until a patch is available, implement temporary workarounds like restricting RFC access and input validation.
While confirmed exploitation is not yet public, the CRITICAL severity and KEV listing suggest a high probability of active exploitation.
Refer to the official SAP Security Notes for the latest information and remediation guidance. Check the SAP Support Portal for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.