CVE-2025-26661
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26661 is a vulnerability in SAP NetWeaver's ABAP Class Builder caused by a missing authorization check. This flaw allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. Successful exploitation could lead to disclosure of highly sensitive information, as well as high impact on the integrity and availability of the application. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization). It was published on 2025-03-11.
The attack requires low privileges (PR:L) and can be carried out over the network (AV:N) with low attack complexity and no user interaction. An authenticated attacker with existing low-level access can exploit the missing check to escalate privileges, achieving high impacts across confidentiality (disclosure of sensitive data), integrity, and availability of the affected application.
SAP provides mitigation guidance in its advisories, including SAP Note 3563927 available at https://me.sap.com/notes/3563927 and details on the SAP Security Patch Day at https://url.sap/sapsecuritypatchday.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is explicitly a missing authorization check enabling an authenticated low-privileged attacker to escalate privileges in SAP NetWeaver ABAP Class Builder, directly matching T1068 Exploitation for Privilege Escalation.