Affected Products:
- SAP ST-PI (Solution Tools Plug-In)
- SAP Core Components
- SAP NetWeaver (AS ABAP / AS Java)
- SAP BusinessObjects
- SAP BusinessObjects BI Platform
The following advisory provides a detailed technical analysis of multiple SAP vulnerabilities identified under February 2026 security updates. These issues impact core enterprise systems commonly deployed in production environments supporting finance, HR, analytics, supply chain, and identity services.
The vulnerabilities range from information disclosure and authentication bypass to denial of service and phishing facilitation. Each issue is documented below with full technical explanation, exploitation context (educational use only), detection strategy, MITRE mapping, and official remediation guidance.
CVE Information
| CVE | Product | CVSS (Est.) | Severity | Exploitability | Exploit Availability |
|---|---|---|---|---|---|
| CVE-2026-24322 | SAP ST-PI | 7.5 | High | Remote, low complexity | No public PoC observed |
| CVE-2026-23689 | SAP (Core Component) | 7.8 | High | Remote, moderate complexity | No public exploit confirmed |
| CVE-2026-23687 | SAP NetWeaver | 9.1 | Critical | Remote, low complexity | Exploit techniques feasible |
| CVE-2026-0508 | SAP BusinessObjects | 8.0 | High | Remote via crafted link | No public PoC confirmed |
| CVE-2026-0490 | SAP BO BI | 6.8 | Medium | Remote, authenticated impact | No exploit published |
CVE-2026-24322
Product: SAP ST-PI
Vulnerability Type: Missing Authorization – Sensitive Information Disclosure
Severity: High
CVSS: 7.5
Overview
Within SAP ST-PI, certain support and diagnostic services were found to be accessible without proper authorization enforcement. It was determined that sensitive backend configuration data could be retrieved without validating user roles or authorization objects.
Technical Analysis
ST-PI supports system diagnostics, data collection, and supportability services. During review, it was identified that specific HTTP endpoints under /sap/bc/ did not consistently enforce role validation.
The vulnerability resulted from:
- Missing
AUTHORITY-CHECKvalidation in service logic - Inconsistent role mapping enforcement
- Exposure of support endpoints not restricted by SICF configuration
Information disclosed may include:
- SAP_BASIS and kernel version
- Installed support package stack
- System ID (SID)
- Client configuration
- Hostname and instance number
- Installed component list
Although direct system manipulation was not possible, reconnaissance value was high.
Exploitation (Educational)
An attacker with network access to the SAP HTTP interface could issue direct GET requests to ST-PI endpoints.
Example structure:
GET /sap/bc/stpi/systeminfo HTTP/1.1
Host: target
If exposed and unprotected, structured system data would be returned.
No publicly released exploit toolkit exists. Exploitation depends on endpoint exposure.
Impact
- Internal system intelligence disclosure
- Easier identification of unpatched components
- Increased precision of targeted attacks
Detection Strategy
Log Sources
- ICM HTTP logs (SMICM)
- SAP Security Audit Log (SM20)
- Web Dispatcher access logs
- Reverse proxy logs
Indicators
- Unauthenticated HTTP 200 responses for ST-PI endpoints
- Enumeration patterns targeting
/sap/bc/stpi/ - Requests from unknown IP addresses
Detection Logic
Trigger alert if:
- ST-PI endpoints are accessed without valid session cookies
- Repeated metadata requests occur within short time window
Remediation
The issue has been resolved in updated ST-PI Support Packages.
Official Patch / Upgrade Link:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
CVE-2026-23689
Product: SAP Core Component
Vulnerability Type: Resource Exhaustion – Denial of Service
Severity: High
CVSS: 7.8
Overview
Improper resource handling allowed excessive system resource consumption through repeated crafted requests. It was determined that dialog processes and memory allocation limits could be exhausted.
Technical Analysis
The vulnerability was caused by:
- Absence of request throttling
- Improper memory allocation cleanup
- No concurrency limiting on heavy processing functions
Repeated execution of high-cost operations could:
- Exhaust DIA work processes
- Saturate dispatcher queues
- Increase CPU utilization
- Trigger memory exhaustion
Exploitation (Educational)
High-frequency POST requests containing oversized payloads could be submitted repeatedly.
Example pattern:
POST /sap/bc/service
Content-Length: 9000000
Sustained submission could render system unresponsive.
No known public exploit exists.
Impact
- Service degradation
- Temporary outage
- Work process exhaustion
- Forced system restart
Detection Strategy
Log Sources
- dev_w* logs
- OS CPU and memory monitoring
- SAP EarlyWatch
- ST03N workload analysis
Indicators
- Sustained >85% CPU usage
- All dialog processes busy
- Dispatcher queue overflow
- Repeated identical large requests
Remediation
Kernel and application updates correct improper resource handling.
Official Patch / Upgrade Link:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
CVE-2026-23687
Product: SAP NetWeaver
Vulnerability Type: XML Signature Wrapping – Unauthorized Access
Severity: Critical
CVSS: 9.1
Overview
Improper XML signature validation was identified in SAP NetWeaver authentication workflows. It was determined that XML signature scope validation was incomplete, enabling signature wrapping attacks.
Technical Analysis
The vulnerability involved:
- Incomplete canonicalization validation
- Improper reference URI enforcement
- Failure to ensure full structural integrity of signed XML
Manipulated SAML assertions could contain modified role or privilege elements while maintaining a valid signature reference.
Exploitation (Educational)
An attacker could:
- Obtain or intercept a valid SAML assertion.
- Inject a malicious privileged element.
- Submit modified assertion to authentication endpoint.
If signature scope validation failed, elevated privileges could be granted.
Although no direct exploit package has been released, XML signature wrapping techniques are well documented in security research.
Impact
- Authentication bypass
- Privilege escalation
- Administrative access compromise
Detection Strategy
Log Sources
- SAP Security Audit Log
- NetWeaver AS Java logs
- SAML trace logs
- Web Dispatcher logs
Indicators
- XML signature validation warnings
- Unexpected administrative role assignments
- Authentication from new IP ranges
Remediation
Updated NetWeaver components enforce strict XML signature validation.
Official Patch / Upgrade Link:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
CVE-2026-0508
Product: SAP BusinessObjects
Vulnerability Type: Open Redirect
Severity: High
CVSS: 8.0
Overview
A redirect handler in SAP BusinessObjects accepted unvalidated external URLs. It was determined that arbitrary domains could be supplied within redirect parameters.
Technical Analysis
The vulnerability resulted from:
- Lack of URL allowlist enforcement
- No protocol validation
- Failure to restrict redirection to relative paths
Trusted SAP domains could therefore be leveraged for phishing redirection.
Exploitation (Educational)
Crafted links such as:
https://sap-domain/redirect?url=https://attacker-site.com
could be distributed to users.
User interaction would be required.
Impact
- Phishing facilitation
- Malware redirection
- Brand trust exploitation
Detection Strategy
Log Sources
- Web server logs
- Reverse proxy logs
- Endpoint telemetry
Indicators
- Redirect parameters containing external domains
- Spike in redirect endpoint activity
Remediation
Strict input validation and domain allowlisting have been implemented.
Official Patch / Upgrade Link:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
CVE-2026-0490
Product: SAP BusinessObjects BI
Vulnerability Type: Authentication Disruption – Denial of Service
Severity: Medium
CVSS: 6.8
Overview
Improper error handling within authentication workflows allowed repeated malformed login attempts to destabilize authentication services.
Technical Analysis
The authentication subsystem did not properly handle:
- Invalid authentication headers
- Malformed session tokens
- Unexpected login payload formats
Repeated triggering could result in authentication service instability or restart loops.
Exploitation (Educational)
Malformed authentication requests could be repeatedly submitted:
POST /BOE/CMC
Invalid payload
Service interruption could follow if exception handling loops were triggered.
Impact
- Login service outage
- Temporary user lockout
- Operational disruption
Detection Strategy
Log Sources
- CMS logs
- Authentication service logs
- Windows Event Viewer
Indicators
- Sudden surge in failed logins
- Authentication service restarts
- Repeated validation exceptions
Remediation
Authentication logic corrections have been implemented in updated BusinessObjects BI releases.
Official Patch / Upgrade Link:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
Final Takeaway
These SAP vulnerabilities highlight how small validation gaps can create significant enterprise risk. The issues range from information disclosure and authentication bypass to denial of service and phishing facilitation.
The most critical risk lies in the SAP NetWeaver XML validation flaw, which could enable privilege escalation or unauthorized access. The denial-of-service vulnerabilities can disrupt business operations, while the information disclosure and open redirect issues increase the likelihood of targeted attacks and phishing campaigns.
The primary defense remains:
- Immediate application of official SAP patches
- Restricting external exposure of SAP systems
- Enabling and actively monitoring SAP Security Audit Logs
- Implementing rate limiting and proper access controls
In enterprise SAP environments, security failures rarely occur in isolation. Timely patching, strict authorization enforcement, and continuous monitoring are essential to prevent escalation from minor weaknesses into major incidents.
