← back
CVE-2025-26655

Missing Authorization check in SAP JIT(Outbound)

CVSS 3.1 LOWEPSS 0.2%CWE-862
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Mar 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
SAP_SE · SAP Just In Time

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3347991https://url.sap/sapsecuritypatchday