CVE-2025-26661 Overview
CVE-2025-26661 is a missing authorization check vulnerability in the SAP NetWeaver ABAP Class Builder. An authenticated attacker with low privileges can exploit this flaw over the network to gain higher access levels than assigned. Successful exploitation discloses highly sensitive information and impacts the integrity and availability of the application. SAP addressed the vulnerability in its March 2025 Security Patch Day release under SAP Note #3563927. The weakness maps to [CWE-862] Missing Authorization. The Exploit Prediction Scoring System (EPSS) currently rates the likelihood of exploitation in the low range, and no public proof-of-concept code has been published.
Critical Impact
Authenticated attackers can escalate privileges within SAP NetWeaver, exposing sensitive business data and compromising the integrity of ABAP application components.
Affected Products
- SAP NetWeaver (ABAP Class Builder component)
- SAP environments exposing the ABAP Class Builder to authenticated users
- SAP systems that have not applied SAP Note #3563927
Discovery Timeline
- 2025-03-11 - CVE-2025-26661 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-26661
Vulnerability Analysis
The vulnerability exists in the ABAP Class Builder component of SAP NetWeaver. The Class Builder is the development workbench tool used to create and maintain global ABAP classes and interfaces. The component fails to perform required authorization checks before executing privileged operations. As a result, a user holding low-privilege credentials can invoke functionality that should be restricted to higher-privileged roles. The flaw enables vertical privilege escalation within the SAP application stack, bypassing the role and authorization model that SAP administrators rely on for segregation of duties.
Root Cause
The root cause is a missing authorization check, classified as [CWE-862]. The affected ABAP Class Builder functions do not validate whether the calling user holds the authorization object required for the requested action. SAP authorization checks are typically enforced through AUTHORITY-CHECK statements in ABAP code. When these statements are absent or incomplete in privileged code paths, any authenticated session can reach sensitive functionality regardless of assigned roles.
Attack Vector
The attack vector is network-based and requires low-privilege authentication with no user interaction. An attacker authenticates to the SAP NetWeaver instance using valid but low-tier credentials, then issues a crafted request to the vulnerable ABAP Class Builder functionality. Because the authorization check is absent, the request executes with the elevated permissions tied to the underlying function rather than the caller's assigned role. The attacker can then read, modify, or disrupt ABAP application objects beyond their intended scope. No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified public proof-of-concept code is available for this vulnerability. Technical details are limited to vendor advisories. See the SAP Note #3563927 for component-specific remediation guidance.
Detection Methods for CVE-2025-26661
Indicators of Compromise
- Unexpected access to ABAP Class Builder transactions such as SE24 by users without developer authorizations.
- Creation or modification of global ABAP classes by accounts that do not hold the S_DEVELOP authorization object.
- Audit log entries showing privileged Class Builder operations attributed to low-privilege user IDs.
Detection Strategies
- Enable and review the SAP Security Audit Log (SM19/SM20) for transactions tied to the ABAP Class Builder.
- Correlate user role assignments with executed privileged actions to identify activity exceeding granted authorizations.
- Forward SAP audit logs to a centralized SIEM and build correlation rules for privilege escalation patterns within ABAP development tooling.
Monitoring Recommendations
- Monitor logon activity for low-privilege accounts that subsequently invoke developer or Class Builder functions.
- Track changes to ABAP repository objects (TADIR entries) outside of approved transport requests.
- Alert on authorization check failures spiking against S_DEVELOP or related objects, which may indicate enumeration of vulnerable paths.
How to Mitigate CVE-2025-26661
Immediate Actions Required
- Apply SAP Note #3563927 to all affected SAP NetWeaver systems as documented in the March 2025 SAP Security Patch Day.
- Inventory SAP NetWeaver instances and prioritize patching of production systems exposing the ABAP Class Builder.
- Review user assignments for the S_DEVELOP authorization object and remove unnecessary developer privileges from production accounts.
Patch Information
SAP released a fix for CVE-2025-26661 as part of the March 2025 Security Patch Day. Customers must download and apply the support package or correction instructions referenced in SAP Note #3563927. Additional context for monthly security updates is available on the SAP Security Patch Day portal. Applying the official patch is the only complete remediation.
Workarounds
- Restrict network access to SAP NetWeaver application servers so that only trusted administrative networks can reach the ABAP Class Builder.
- Tighten role design to ensure no production user holds the authorization objects required to reach the vulnerable functionality until the patch is applied.
- Increase Security Audit Log coverage and review frequency to detect attempted exploitation while patch rollout is in progress.
# Example: enable SAP Security Audit Log filter for Class Builder activity
# Configure via transaction SM19, then activate with SM20 review
# Filter: User = * Class = AU Severity = Critical
# Events: Transaction start, RFC call, Report start for SE24 and related
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
