Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27671

CVE-2026-27671: SAP NetWeaver ABAP RCE Vulnerability

CVE-2026-27671 is a remote code execution vulnerability in SAP NetWeaver ABAP Platform caused by improper RFC protocol validation. Attackers can exploit memory management flaws to compromise systems. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-27671 Overview

CVE-2026-27671 is a memory corruption vulnerability in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform. The SAP Kernel improperly validates Remote Function Call (RFC) protocol messages. An unauthenticated remote attacker can send a crafted RFC request that triggers logical errors in memory management, corrupting process memory. Successful exploitation compromises the confidentiality, integrity, and availability of the application. The vulnerability is tracked under [CWE-121] Stack-Based Buffer Overflow.

Critical Impact

Unauthenticated remote attackers can corrupt SAP Kernel memory through crafted RFC traffic, leading to full compromise of SAP NetWeaver application servers.

Affected Products

  • SAP Kernel (Application Server ABAP component)
  • SAP NetWeaver Application Server ABAP
  • SAP ABAP Platform

Discovery Timeline

  • 2026-06-09 - CVE-2026-27671 published to NVD
  • 2026-06-09 - Last updated in NVD database
  • SAP Security Patch Day - SAP releases fix via SAP Note #3717897

Technical Details for CVE-2026-27671

Vulnerability Analysis

The vulnerability resides in the SAP Kernel's handling of the Remote Function Call (RFC) protocol. RFC is the primary inter-system communication protocol used by SAP NetWeaver to invoke functions across ABAP and non-ABAP systems. The SAP Kernel fails to enforce protocol invariants when parsing inbound RFC messages.

An attacker can craft an RFC request that triggers logical errors in memory management routines. These errors result in stack-based buffer corruption [CWE-121]. Memory corruption in a privileged server process exposes the host to arbitrary code execution, denial of service, and unauthorized data access.

No authentication is required to reach the vulnerable code path. The RFC gateway accepts the malformed message and processes it before any application-level access control is applied.

Root Cause

The root cause is improper RFC protocol validation in the SAP Kernel. Length fields, structure boundaries, or type identifiers in RFC payloads are not sufficiently checked before memory operations execute. Logical errors during deserialization permit out-of-bounds writes onto the stack.

Attack Vector

Exploitation occurs over the network against the SAP RFC gateway port (typically sapgw00 on TCP 3300 series). The attacker needs no credentials and no user interaction. The crafted RFC request must conform to enough of the protocol to reach the vulnerable parser, then deliver malformed fields that violate the assumed memory layout. See SAP Note #3717897 for the official technical advisory.

Detection Methods for CVE-2026-27671

Indicators of Compromise

  • Unexpected crashes, restarts, or core dumps of disp+work or related SAP Kernel processes.
  • Anomalous RFC connections from unknown source IPs to gateway ports in the 3300 range.
  • Malformed or oversized RFC frames recorded in gateway trace files (dev_rd, gw_log).
  • New or unexpected registered RFC server programs appearing in the gateway registration list.

Detection Strategies

  • Inspect SAP gateway logs for protocol parsing errors and abnormal disconnects correlated with kernel process restarts.
  • Hunt for outbound process behavior originating from disp+work that deviates from baseline, such as shell spawning or unexpected file writes.
  • Apply network signatures against RFC traffic that contains malformed length headers or non-conforming structure identifiers.

Monitoring Recommendations

  • Forward SAP Security Audit Log, gateway logs, and kernel traces to a central SIEM for correlation.
  • Alert on RFC connections from segments that should not communicate with SAP application servers.
  • Monitor SAP Kernel process integrity and uptime; repeated restarts may indicate exploitation attempts.

How to Mitigate CVE-2026-27671

Immediate Actions Required

  • Apply the SAP Kernel patch referenced in SAP Note #3717897 to all affected NetWeaver AS ABAP and ABAP Platform systems.
  • Restrict network access to RFC gateway ports so that only trusted application servers and integration hosts can connect.
  • Review and harden secinfo and reginfo access control lists on the SAP gateway to deny unauthorized RFC registrations and starts.
  • Audit RFC destinations and trusted RFC relationships for unexpected entries.

Patch Information

SAP released a corrective Kernel patch as part of SAP Security Patch Day. The fix is documented in SAP Note #3717897. Administrators must upgrade the SAP Kernel to the patched level on every Application Server ABAP instance, including central services and additional dialog instances.

Workarounds

  • Block RFC gateway ports at perimeter and internal firewalls for any source not explicitly required.
  • Enforce strict gw/sec_info and gw/reg_info rules to limit which programs may register with the gateway.
  • Place SAP application servers behind a segmented management network and disable direct exposure to untrusted zones.
bash
# Example SAP gateway access control entries (reginfo / secinfo)
# /usr/sap/<SID>/<INST>/data/reginfo
P TP=* HOST=app01.internal,app02.internal ACCESS=app01.internal,app02.internal CANCEL=app01.internal,app02.internal
D TP=*

# /usr/sap/<SID>/<INST>/data/secinfo
P TP=* USER=* HOST=app01.internal,app02.internal
D USER=* HOST=*

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne