SAP NetWeaver Vulnerability Allows Attackers to Escalate Privileges

A critical vulnerability in the SAP NetWeaver Application Server AS ABAP has been disclosed under SAP Security Note #3600840, carrying a near-maximum CVSS score of 9.6.

This flaw, rooted in a Missing Authorization Check within the Remote Function Call (RFC) framework, poses a severe risk to system integrity and availability.

Authenticated attackers can exploit this vulnerability under specific conditions to bypass standard authorization checks on the S_RFC object when leveraging transactional (tRFC) or queued RFCs (qRFC).

Such exploitation enables privilege escalation, granting unauthorized access to critical system functions.

Critical Flaw in RFC Framework

The potential impact is catastrophic, as attackers could manipulate application data or disrupt services entirely.

SAP advises immediate patching and highlights that post-patch, additional S_RFC permissions may need to be assigned to certain users.

The accompanying FAQ in SAP Note #3601919 provides detailed guidance on identifying affected users and activating enhanced ...