CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-26661: Missing Authorization check in SAP NetWeaver (ABAP Class Builder)

8.8 CVSS

Description

Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application.

Classification

CVE ID: CVE-2025-26661

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: SAP NetWeaver (ABAP Class Builder)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 9.94% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26661
https://me.sap.com/notes/3563927
https://url.sap/sapsecuritypatchday

Timeline

2025-03-11 01:40:17 UTC
CVE

Missing Authorization check in SAP NetWeaver (ABAP Class Builder)