Missing Authorization Check Allows RFC Background Calls Without S_RFC in SAP NetWeaver AS ABAP
SAP NetWeaver Application Server ABAP and ABAP Platform
Wide kernel version coverage means this affects most NetWeaver ABAP landscapes. RFC authorization bypass at CVSS 9.6 is a significant privilege escalation path — anyone with any RFC-capable user account can potentially call function modules they should not have access to. Kernel updates require a brief system downtime but this one is worth scheduling immediately.
Vulnerability Detail
Authenticated low-privileged users can perform background Remote Function Calls without possessing the required S_RFC authorization. This can allow unauthorized access to RFC-enabled function modules, potentially enabling modification of critical system functions and disruption of operations.
Patch Action
Apply SAP Note 3674774. Kernel patch required — coordinate with BASIS team for kernel downtime.
Affected Versions
Patch Info