Warning: Two Critical Missing Authorization and many high vulnerabilities in SAP CRM - S/4HANA - Netweaver that can lead to full database compromise, Patch Immediately!

    * Last update:  10/02/2026
   
    * Affected products:
         → SAP CRM and SAP S/4HANA (Scripting Editor)
         → SAP NetWeaver Application Server ABAP and ABAP Platform

    * Type: CWE-862 Missing Authorization

    * CVE/CVSS:

• CVE-2026-0488: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
• CVE-2026-0509: CVSS 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H)

Sources

SAP

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html
• https://me.sap.com/notes/3697099
• https://me.sap.com/notes/3674774

Risks

• SAP CRM is a tool that manages customer relationships across sales, marketing, and service with tools for lead tracking, campaigns, and analytics integrated into SAP ecosystems.
• SAP S/4HANA Scripting Editor enables VBA-like scripting to automate and extend SAP GUI interactions, reports, and custom workflows within S/4HANA transactions.
• SAP NetWeaver AS ABAP runs ABAP applications in SAP's three-tier architecture, handling dispatchers, work processes, and load balancing.
• The ABAP Platform modernizes AS ABAP for S/4HANA/cloud with flexible development, extensions, and REST APIs.

On the 10th of February 2026, SAP published its monthly edition of the SAP Security Patch Day including 16 security notes and one security update.

In this advisory we cover the two critical vulnerabilities in scope: CVE-2026-0488 and CVE-2026-0509.

Exploitation does not require any user interaction, but it does require low privileges, and it can be conducted via the network.

It is unclear if the either one critical vulnerability has been actively exploited in the wild as there is no publicly available proof of concept.

If an attacker exploits CVE-2026-0488, that could cause a high impact in all three aspects of the CIA triad (Confidentiality, Integrity, Availability). However, if an attacker exploits CVE-2026-0509, that could cause a high impact in Integrity and Availability, but no impact in Confidentiality of the system.

Description

CVE-2026-0488: A remote attacker with low privileges can exploit a flaw in a generic function module call in the SAP CRM and SAP S/4HANA to execute unauthorized critical functionalities. That can allow them to run SQL statements without any checks and compromise the whole database.

CVE-2026-0509: A remote attacker with low privileges can exploit this vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform to execute background Remote Function Calls (RFCs). That can allow the attacker to modify critical system functions and disrupt the network traffic.

For more details and for the full list of the recent SAP vulnerabilities and their patches, please refer to the SAP Security Patch Day - February 2026. https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NVD

• https://nvd.nist.gov/vuln/detail/CVE-2026-0488
• https://nvd.nist.gov/vuln/detail/CVE-2026-0509