CVE-2026-0509 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-0509 PUBLISHED CVSS 9.600000381469727 CRITICAL

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

EPSS 0.02% · 3.8th percentile

Risk Scores

CVSS v3.1

9.600000381469727

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

EPSS Score

0.02%

3.8th percentile

Affected Products

Vendor	Product	Versions
SAP_SE	SAP NetWeaver Application Server ABAP and ABAP Platform	7.22EXT, KRNL64NUC 7.22, KRNL64UC 7.22
sap	netweaver_as_abap_kernel	7.53, 7.22, 7.54
sap	netweaver_as_abap_krnl64uc	7.22, 7.22ext, 7.53
sap	netweaver_as_abap_krnl64nuc	7.22, 7.22ext

Timeline

Feb 10, 2026 CVE Published
Feb 10, 2026 EPSS Score
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 11, 2026 EPSS Score
Feb 11, 2026 PoC Published
Feb 13, 2026 EPSS Score
Feb 14, 2026 EPSS Score

References

Open in Interactive Console →