CVE-2026-23685
📋 TL;DR
This CVE describes a deserialization vulnerability in SAP NetWeaver's JMS service that allows authenticated administrators with local access to submit malicious content. If processed, this could trigger unintended behavior causing denial of service. Only affects SAP NetWeaver systems with vulnerable JMS service configurations.
💻 Affected Systems
- SAP NetWeaver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of SAP NetWeaver JMS service, affecting dependent business processes and applications.
Likely Case
Temporary service interruption requiring system restart, with potential data loss for in-flight transactions.
If Mitigated
Minimal impact with proper network segmentation and administrative access controls limiting attack surface.
🎯 Exploit Status
Requires administrator credentials and knowledge of JMS service interaction; deserialization payloads need to be crafted for specific SAP NetWeaver versions
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SAP Note 3687285 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3687285
Restart Required: Yes
Instructions:
1. Review SAP Note 3687285 for your specific NetWeaver version. 2. Apply the recommended SAP security patch. 3. Restart the affected JMS service. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Restrict JMS Service Access
linuxLimit network access to JMS service ports to only trusted administrative systems
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="JMS_PORT" accept'
firewall-cmd --reload
Disable Unused JMS Services
allDisable JMS services that are not required for business operations
Check SAP documentation for your specific version on disabling JMS services
🧯 If You Can't Patch
- Implement strict network segmentation to isolate JMS service from general network access
- Enforce principle of least privilege for administrative accounts and monitor JMS service access logs
🔍 How to Verify
Check if Vulnerable:
Check SAP Note 3687285 for your specific NetWeaver version and compare with installed versionCheck Version:
Execute SAP transaction SPAM or check kernel patch level via SAP GUIVerify Fix Applied:
Verify patch application through SAP support package manager and confirm JMS service restarted successfully📡 Detection & Monitoring
Log Indicators:
- Unusual JMS service restarts
- Large or malformed JMS messages from administrative accounts
- JMS service error logs containing deserialization exceptions
Network Indicators:
- Unusual traffic patterns to JMS service ports from administrative systems
- Large payloads sent to JMS endpoints
SIEM Query:
source="sap_jms_logs" AND (event_type="service_restart" OR message="*deserialization*" OR message="*malformed*" OR size_bytes>100000)