CVE-2026-24313 Overview
CVE-2026-24313 is a missing authorization vulnerability [CWE-862] in the SAP Solution Tools Plug-In (ST-PI). The affected function module does not enforce authorization checks for authenticated users. An authenticated attacker with low privileges can invoke the module remotely over the network to disclose system information.
The vulnerability affects confidentiality only. Integrity and availability remain unaffected. The scope is changed because the exposed information crosses the security boundary of the authorization model that should have restricted access.
Critical Impact
Authenticated low-privileged users can retrieve SAP system information through an unprotected ST-PI function module, exposing data that supports further reconnaissance against the SAP landscape.
Affected Products
- SAP Solution Tools Plug-In (ST-PI)
- SAP NetWeaver ABAP systems with ST-PI installed
- See SAP Note 3707930 for the full version matrix
Discovery Timeline
- 2026-03-10 - CVE-2026-24313 published to the National Vulnerability Database
- 2026-03-10 - SAP publishes SAP Note 3707930 on SAP Security Patch Day
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-24313
Vulnerability Analysis
The SAP Solution Tools Plug-In (ST-PI) is an add-on installed on SAP ABAP-based systems. It supports SAP Solution Manager integration and provides remote-callable function modules used for system monitoring and diagnostics. One of these function modules omits the AUTHORITY-CHECK statement that should validate caller permissions before returning data.
An authenticated user with a valid Remote Function Call (RFC) or dialog session can invoke the function module without holding the authorization object normally required for the operation. The module returns system information that the caller would otherwise be unable to retrieve, supporting reconnaissance of the target SAP landscape.
The vulnerability is categorized under Missing Authorization [CWE-862]. The EPSS score is 0.032%, indicating low predicted exploitation probability at the time of publication.
Root Cause
The root cause is the absence of an AUTHORITY-CHECK call inside the affected ST-PI function module. ABAP function modules that expose system data must explicitly verify the caller's authorization objects before returning results. The missing check causes the module to trust the caller's authenticated session without confirming entitlement to the requested data.
Attack Vector
The attack vector is network-based. An attacker needs valid credentials for an account on the target SAP system with permission to invoke RFC-enabled function modules. No user interaction is required. The attacker calls the vulnerable ST-PI function module through a standard SAP RFC client or any tool that can establish an authenticated RFC session, then reads the system information returned in the response.
No public proof-of-concept code is available. The vulnerability mechanism is described in prose because SAP has not published exploit details. Refer to SAP Note 3707930 for vendor-supplied technical context.
Detection Methods for CVE-2026-24313
Indicators of Compromise
- RFC calls to ST-PI function modules originating from user accounts that do not normally perform system monitoring or Solution Manager operations
- Unexpected spikes in calls to ST-PI diagnostic function modules from a single user or RFC destination
- Authenticated sessions enumerating multiple ST-PI function modules in short time windows
Detection Strategies
- Review SAP Security Audit Log (transaction SM19/SM20) for RFC function module invocations by low-privileged users
- Enable Unified Connectivity (UCON) logging to identify which accounts call ST-PI function modules over RFC
- Correlate ST-PI function calls with the user's role profile to identify access that exceeds business need
Monitoring Recommendations
- Forward SAP audit logs and gateway logs to a centralized analytics platform for behavioral baselining of RFC activity
- Alert on calls to ST-PI function modules from service accounts or technical users that are not part of the Solution Manager integration path
- Track changes to ST-PI software component versions across the SAP landscape to confirm patch deployment
How to Mitigate CVE-2026-24313
Immediate Actions Required
- Apply the ST-PI patch referenced in SAP Note 3707930 to every affected system
- Audit user and RFC destination authorizations that permit invocation of ST-PI function modules and reduce them to least privilege
- Restrict RFC access to ST-PI function modules using Unified Connectivity (UCON) allow-lists
Patch Information
SAP released the fix on SAP Security Patch Day. The corrected ST-PI function module enforces the required authorization check before returning system information. Download instructions and the supported component versions are documented in SAP Note 3707930. Customers should follow the standard SAP support package application process for ST-PI add-ons.
Workarounds
- Use UCON to block external RFC calls to the affected ST-PI function module until the patch is applied
- Remove broad S_RFC authorizations that permit unrestricted function module execution from non-administrative roles
- Monitor SAP Security Audit Log for invocations of the affected function module and investigate anomalies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
