CVE-2026-24313: SAP ST-PI Information Disclosure Flaw

CVE-2026-24313 Overview

SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing system information to be disclosed. This vulnerability represents a Missing Authorization (CWE-862) issue where the affected function module fails to validate user privileges before exposing sensitive system details.

Critical Impact

Authenticated users can bypass authorization controls to access system information they should not be permitted to view, potentially exposing configuration details that could facilitate further attacks against the SAP environment.

Affected Products

• SAP Solution Tools Plug-In (ST-PI)

Discovery Timeline

• 2026-03-10 - CVE-2026-24313 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-24313

Vulnerability Analysis

This vulnerability stems from a Missing Authorization flaw (CWE-862) within the SAP Solution Tools Plug-In (ST-PI). The affected function module fails to implement proper authorization checks for authenticated users, creating a gap in access control enforcement. When a user invokes the vulnerable function module, the system processes the request without verifying whether the user possesses the appropriate privileges to access the requested system information.

The vulnerability is exploitable over the network by any authenticated user, regardless of their assigned authorization profile. While the impact is limited to confidentiality with low severity, the disclosed system information could provide attackers with valuable reconnaissance data about the SAP landscape, including system configuration details, component versions, and infrastructure topology.

Root Cause

The root cause of CVE-2026-24313 is the absence of authorization object checks within the vulnerable function module. In SAP systems, authorization checks are typically performed by verifying the user's permissions against authorization objects. The affected function module in ST-PI bypasses this security mechanism, allowing any authenticated user to retrieve system information without proper privilege validation. This represents a failure to implement the principle of least privilege within the function module's design.

Attack Vector

The attack vector for this vulnerability is network-based and requires low complexity to exploit. An attacker needs only authenticated access to the SAP system to exploit this vulnerability. Once authenticated, the attacker can invoke the vulnerable function module directly through standard SAP interfaces such as Remote Function Calls (RFC) or the SAP GUI. The function module returns system information without checking whether the calling user has the appropriate authorization objects assigned. This allows users with minimal system privileges to access information typically restricted to administrators or specific technical roles.

Detection Methods for CVE-2026-24313

Indicators of Compromise

• Unusual access patterns to ST-PI function modules from non-administrative user accounts
• Elevated frequency of RFC calls to system information functions from unexpected sources
• User accounts accessing ST-PI components outside of normal maintenance windows

Detection Strategies

• Monitor SAP Security Audit Log (SM21) for function module calls to ST-PI components from unauthorized users
• Implement RFC monitoring to detect suspicious remote calls to affected function modules
• Review user authorization profiles to identify accounts that may be exploiting missing checks
• Configure SAP Solution Manager to alert on anomalous ST-PI function module access patterns

Monitoring Recommendations

• Enable comprehensive SAP security logging for all ST-PI related transactions
• Deploy SentinelOne agents on SAP application servers to detect behavioral anomalies
• Establish baseline activity patterns for ST-PI usage and alert on deviations
• Correlate SAP application logs with network traffic analysis for comprehensive visibility

How to Mitigate CVE-2026-24313

Immediate Actions Required

• Apply the security patch referenced in SAP Note #3707930
• Review and audit current user access to ST-PI function modules
• Implement additional authorization checks at the network layer if patching is delayed
• Assess potential information exposure by reviewing recent access logs

Patch Information

SAP has released a security patch to address this vulnerability. Organizations should apply the fix documented in SAP Note #3707930 as part of their regular patch management process. The patch introduces proper authorization checks within the affected function module to ensure users possess appropriate privileges before system information is disclosed. Additional details about this and other security updates are available on the SAP Security Patch Day portal.

Workarounds

• Restrict RFC access to the vulnerable function module using SAP Gateway ACLs until patching is complete
• Review and tighten user authorization profiles to limit who can invoke ST-PI functions
• Implement network segmentation to reduce the attack surface for authenticated users
• Enable additional logging on affected function modules to detect exploitation attempts

# Example: Review SAP RFC connections for suspicious activity
# Run transaction SM59 to audit RFC destinations
# Check SM21 Security Audit Log for unauthorized function calls
# Review SU53 authorization failures related to ST-PI