Severe SAP NetWeaver Vulnerability Allows Attackers to Bypass Authorization Checks

SAP has released nineteen security patches in its June Patch Day, addressing critical vulnerabilities that could allow attackers to bypass authorization controls and escalate privileges across multiple enterprise systems.

The update includes two HotNews Notes and seven High Priority Notes, with immediate action recommended for organizations running affected SAP environments.

The most severe vulnerability, tracked as SAP Security Note #3600840 with a CVSS score of 9.6, affects the Remote Function Call (RFC) framework in SAP NetWeaver Application Server AS ABAP.

This critical missing authorization check vulnerability enables authenticated attackers to bypass standard authorization controls on the S_RFC authorization object when using transactional (tRFC) or queued RFCs (qRFC).

Under specific conditions, attackers can exploit this vulnerability to achieve privilege escalation, critically impacting both application integrity and availability.

The vulnerability requires immediate kernel updates, with SAP warning that the patch may necessitate additional S_RFC permissions for ...