← back
CVE-2026-27671

Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

CVSS 9.8 CRITICALEPSS 0.4%CWE-121
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
SAP_SE · SAP NetWeaver AS ABAP and ABAP Platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3717897https://url.sap/sapsecuritypatchday