The affected perform is often utilized in many massive, established SAP CRM landscapes similar to name facilities.
The underlying flaw is a generic perform module invocation path that may be abused to execute unauthorized important performance, he stated. A practical assault chain may begin from attackers compromising an ordinary CRM consumer via phishing, password reuse, or endpoint compromise. Then the attacker would accesses Scripting Editor–associated performance and leverage the generic name flaw. Lastly, they’d execute unauthorized database-level actions (SQL), leading to broad management. As soon as management was achieved, an attacker may compromise the database, steal or modify knowledge, and trigger operational disruption by manipulating CRM/S/4 knowledge on the persistence layer.
Stross additionally identified a lacking authorization enforcement for distant perform name (RFC) execution paths vulnerability, assigned 3674774 (CVE-2026-0509), with a CVSS rating of 9.6. It impacts RFC (together with background RFC), which is foundational for integrations, background processing, and cross-system communication, he stated, with influence throughout NetWeaver AS ABAP / ABAP Platform.
