Plateforme
sap
Composant
sap-s-4hana
Corrigé dans
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
109.0.1
CVE-2026-0498 is a critical Remote Code Execution (RCE) vulnerability affecting SAP S/4HANA versions 102. An attacker with administrative privileges can exploit a flaw in a function module exposed via Remote Function Call (RFC) to inject arbitrary ABAP code or operating system commands. This effectively creates a backdoor, potentially leading to complete system compromise and impacting the confidentiality, integrity, and availability of the SAP S/4HANA instance.
The impact of CVE-2026-0498 is severe. Successful exploitation allows an attacker to execute arbitrary code on the SAP S/4HANA server with administrative privileges. This grants them complete control over the system, enabling them to steal sensitive data (customer information, financial records, intellectual property), modify data, disrupt operations, and potentially pivot to other systems within the network. The RFC-based injection bypasses standard authorization checks, making exploitation relatively straightforward for attackers with sufficient access. This vulnerability shares similarities with other RFC injection flaws, where improper input validation allows attackers to execute malicious code within the SAP environment.
CVE-2026-0498 was publicly disclosed on 2026-01-13. Its CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread attacks. The vulnerability is currently listed on CISA KEV, further highlighting its importance. Active exploitation campaigns are possible, particularly targeting organizations running vulnerable SAP S/4HANA instances.
Organizations running SAP S/4HANA version 102, particularly those with extensive use of RFC connections and limited network segmentation, are at significant risk. Shared hosting environments utilizing SAP S/4HANA are also vulnerable, as a compromise of one tenant could potentially impact others. Legacy SAP S/4HANA configurations with weak access controls are especially susceptible.
• linux / server:
journalctl -u saprouter | grep -i "rfc injection"• generic web:
curl -I <rfc_endpoint_url>• database (mysql):
SELECT * FROM sap.rfc_connections WHERE connection_string LIKE '%vulnerable_function_module%';disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-0498 is to upgrade to a patched version of SAP S/4HANA. SAP has not yet released a fixed version as of the publication date. Until a patch is available, consider implementing temporary workarounds. Restrict access to the vulnerable RFC function module, limiting which users and systems can access it. Implement strict input validation on all data passed to the function module to prevent malicious code injection. Monitor RFC connections for suspicious activity and unusual command executions. Consider using a Web Application Firewall (WAF) to filter malicious requests targeting the RFC endpoint. After upgrading, confirm the vulnerability is resolved by attempting to trigger the injection scenario with a benign payload and verifying that it is blocked.
Appliquer les mises à jour de sécurité fournies par SAP pour corriger la vulnérabilité d'injection de code. Consulter la note SAP 3694242 pour plus de détails sur la mise à jour et les instructions d'installation. Il est recommandé de réaliser des tests approfondis dans un environnement de test avant d'appliquer la mise à jour dans un environnement de production.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-0498 is a critical Remote Code Execution vulnerability in SAP S/4HANA 102, allowing attackers to inject code via RFC, potentially leading to full system compromise.
If you are running SAP S/4HANA version 102, you are potentially affected. Check your SAP S/4HANA version and apply the recommended mitigation steps.
The primary fix is to upgrade to a patched version of SAP S/4HANA. Until a patch is available, implement temporary workarounds like restricting RFC access and input validation.
While confirmed exploitation is not yet public, the CRITICAL severity and KEV listing suggest a high probability of active exploitation.
Refer to the official SAP Security Notes for the latest information and remediation guidance. Check the SAP Support Portal for updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.