high2026-03-10SAP SCMCVE-2026-27689

Denial of Service via RFC Function Module Resource Exhaustion in SAP Supply Chain Management

SAP Supply Chain Management

Our Take

Availability impact only — no data exposure. That said, a DoS against SCM during an active planning run or MRP execution would be operationally disruptive. If you run SAP SCM or embedded APO in S/4HANA, include this in your next two-week window.

Vulnerability Detail

An authenticated user can call an RFC-enabled function module with excessively large parameter values, triggering an uncontrolled loop that exhausts system resources and renders the affected system unavailable. Both standalone SAP SCM and the SCM components embedded in S/4HANA are affected.

Workaround

Restrict access to the affected RFC function module via S_RFC authorization for untrusted user accounts.

Patch Action

Apply SAP Note 3719502.

Affected Versions

SCMAPO

SCM

S4CORE/S4COREOP (multiple versions)

Patch Info

Timing

🟠 Within 2 weeks

CVSS Score

7.7

SAP Note

3719502 ↗

CVE

CVE-2026-27689

Published

2026-03-10

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches