How is CVE-2026-27671 exploited?

Network reachability (required): The attacker must reach the SAP NetWeaver AS ABAP RFC listener over the network; no prior foothold on the host is needed. Authentication (not-required): No credentials or session token of any kind are required; the malicious RFC request can be sent by any unauthenticated party. Victim interaction (not-required): Exploitation is fully server-side; no user action, click, or session participation is needed from any victim. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no race-condition or environmental precondition on the attacker.

What is the impact of CVE-2026-27671?

An attacker reads arbitrary in-process memory, exposing session tokens, credentials, and application data held by the AS ABAP kernel. An attacker writes to arbitrary memory regions, allowing modification of persisted business data or injection of malicious logic into running processes. The affected SAP NetWeaver AS ABAP instance can be crashed, taking down all ABAP workloads and RFC-dependent integrations that rely on it. Kernel-level memory corruption may allow an attacker to pivot to remote code execution within the application server process.

Back to search

CRITICALCVE-2026-27671Published 2026-06-09Modified 2026-06-09CNA sap

CVE-2026-27671: Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A memory corruption vulnerability exists in the SAP Kernel component of SAP NetWeaver Application Server ABAP and ABAP Platform. The flaw is reachable over the network with no authentication required, stemming from improper validation of RFC (Remote Function Call) protocol input that triggers logical errors in memory management. Successful exploitation gives an attacker full read and write access to the affected application and can crash it entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment SAP publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-27671 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI/CD pipelines, including custom-built images derived from SAP NetWeaver AS ABAP base layers. Coverage applies to the affected kernel versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, and 722EXT.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), surfaced alongside each customer organization's compliance policy weighting so the finding is routed to the appropriate team inbox. Per-environment prioritization means security and platform teams see the issue ranked against their own policy thresholds rather than a generic severity label.

Available

Patch

No upstream fix has been published by SAP for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers who opt into auto-remediation, the rebuild will be followed by a regression-test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SAP NetWeaver AS ABAP RFC listener over the network; no prior foothold on the host is needed.
AuthenticationNot required
No credentials or session token of any kind are required; the malicious RFC request can be sent by any unauthenticated party.
Victim interactionNot required
Exploitation is fully server-side; no user action, click, or session participation is needed from any victim.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no race-condition or environmental precondition on the attacker.

Blast Radius

An attacker reads arbitrary in-process memory, exposing session tokens, credentials, and application data held by the AS ABAP kernel.
An attacker writes to arbitrary memory regions, allowing modification of persisted business data or injection of malicious logic into running processes.
The affected SAP NetWeaver AS ABAP instance can be crashed, taking down all ABAP workloads and RFC-dependent integrations that rely on it.
Kernel-level memory corruption may allow an attacker to pivot to remote code execution within the application server process.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active across all environments scanning images that include the affected SAP Kernel versions. Because SAP has not yet published a fix, no patched rebuild is available upstream. In the interim, compensating controls worth considering include network-policy isolation to restrict RFC port access (typically TCP 33xx and 48xx) to known trusted hosts only, egress filtering to prevent the compromised process from initiating outbound connections if exploitation occurs, and disabling unauthenticated RFC gateway access via SAP profile parameters such as gw/accept_remote_fronted_calls and gw/monitor if operationally feasible. HarborGuard will automatically make a patched-image rebuild available and, for customers with auto-remediation enabled, will open a patch PR against affected workloads as soon as SAP publishes a kernel fix version.

See how HarborGuard automates this

Affected packages

SAP_SE / SAP NetWeaver AS ABAP and ABAP Platform
KRNL64NUC 7.22 · 7.22EXT · KRNL64UC 7.22 · 722EXT · 7.53 · KERNEL 7.22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified