CVE-2025-26661
📋 TL;DR
CVE-2025-26661 is a missing authorization vulnerability in SAP NetWeaver ABAP Class Builder that allows authenticated attackers to escalate privileges. This could lead to unauthorized access to sensitive data and compromise system integrity. Organizations using affected SAP NetWeaver versions are impacted.
💻 Affected Systems
- SAP NetWeaver ABAP Class Builder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to access, modify, or delete critical business data and disrupt operations.
Likely Case
Unauthorized access to sensitive business information and potential modification of ABAP classes affecting application behavior.
If Mitigated
Limited impact with proper network segmentation and strict access controls in place.
🎯 Exploit Status
Requires authenticated access to SAP system; exploitation involves ABAP Class Builder interface manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3563927
Vendor Advisory: https://me.sap.com/notes/3563927
Restart Required: No
Instructions:
1. Download SAP Note 3563927 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Verify the patch application through transaction SNOTE.
🔧 Temporary Workarounds
Restrict ABAP Class Builder Access
SAPLimit access to transaction SE24 (Class Builder) to authorized users only using SAP authorization profiles.
SU01 - Maintain user authorizations to restrict SE24 access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from untrusted networks
- Enforce principle of least privilege for all SAP user accounts and monitor for unusual activity
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3563927 is applied using transaction SNOTE or check system version against SAP Security Patch Day advisories.Check Version:
Execute transaction SM51 to view system information and applied notes.Verify Fix Applied:
Verify SAP Note 3563927 implementation status in SNOTE and test authorization checks in SE24 transaction.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to transaction SE24
- Authorization failures followed by successful privileged operations
Network Indicators:
- Unusual SAP GUI or RFC connections to Class Builder functions
SIEM Query:
source="sap_audit_log" AND (event="SE24" OR event="Class Builder") AND user NOT IN authorized_users_list