CVE-2026-23689
📋 TL;DR
This CVE describes a denial-of-service vulnerability in SAP systems where authenticated users can trigger excessive resource consumption by invoking a function module with large loop parameters. The vulnerability allows attackers to render systems unavailable by exhausting system resources. It affects SAP systems with the vulnerable function module accessible to authenticated users.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
📦 What is this software?
Advanced Planning And Optimization by Sap
View all CVEs affecting Advanced Planning And Optimization →
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability requiring restart, potentially affecting business operations for extended periods.
Likely Case
Degraded system performance or temporary unavailability affecting specific services or users.
If Mitigated
Minimal impact with proper access controls, monitoring, and resource limits in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable function module.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3703092
Vendor Advisory: https://me.sap.com/notes/3703092
Restart Required: Yes
Instructions:
1. Download SAP Note 3703092 from SAP Support Portal
2. Apply the correction instructions provided in the note
3. Restart the affected SAP system
4. Verify the fix is applied successfully
🔧 Temporary Workarounds
Restrict Function Module Access
allRemove remote-enabled status from vulnerable function modules or restrict access via authorization objects
Use transaction SE37 to check function module properties
Use transaction SU24 to adjust authorization objects
Implement Resource Limits
allConfigure operating system and SAP resource limits to prevent excessive consumption
Configure ulimits on Linux systems
Set profile parameters in SAP instance profiles
🧯 If You Can't Patch
- Implement strict access controls to limit which users can invoke remote function modules
- Deploy monitoring and alerting for abnormal resource consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3703092 is applied using transaction SNOTE or check system version against affected versions in the SAP noteCheck Version:
Execute 'disp+work -version' in SAP system or check in SAP GUI via System -> StatusVerify Fix Applied:
Verify SAP Note 3703092 is marked as implemented in transaction SNOTE and test function module behavior📡 Detection & Monitoring
Log Indicators:
- Abnormally long runtime for function modules
- High CPU or memory consumption alerts
- Multiple rapid invocations of same function module
Network Indicators:
- Unusual frequency of RFC calls to specific function modules
- Large payloads in RFC communications
SIEM Query:
source="sap_audit_log" AND (event_type="RFC_CALL" OR event_type="FUNCTION_MODULE") AND duration>threshold