SAP CRM and S/4HANA, code injection via Scripting Editor (SAP Scripting Editor Injection)

Overview

CVE-2026-0488 is a critical code injection vulnerability affecting the Scripting Editor component shared by SAP CRM and SAP S/4HANA through the SAP WebClient UI Framework. An authenticated attacker with low privileges can abuse a generic function module call to invoke critical functionality they are not authorized to use, including running arbitrary SQL statements directly against the application database. The result is a full database compromise. The National Vulnerability Database assigns a CVSS v3.1 base score of 9.9 (critical), reflecting network reachability, low privileges required, no user interaction, a changed scope, and high impact to confidentiality, integrity, and availability. SAP addressed the issue in its monthly Security Patch Day with SAP Security Note 3697099.

Technical Details

The vulnerability is rooted in a missing authorization check, classified as CWE-862 (Missing Authorization). The Scripting Editor exposes a path through which a generic, dynamically dispatched function module can be called without the platform verifying that the caller is permitted to invoke it. Because the dispatch is generic, an attacker can steer the call toward function modules that perform privileged operations, including direct database access. SAP describes the consequence as the ability to execute arbitrary SQL statements, which means an attacker is not limited to the application's intended data scope but can read, modify, or delete any data the database user can reach.

Exploitation requires an authenticated session, which is why the CVSS vector specifies low privileges (PR:L). The scope is marked changed (S:C) because the abused function executes with the rights of the application's database connection rather than the limited rights of the attacker's own role, so the impact crosses the authorization boundary that should have contained it. With arbitrary SQL execution, an attacker can compromise confidentiality (reading sensitive business and personal data), integrity (tampering with financial or master data), and availability (dropping or corrupting tables). The remediation is to apply SAP Security Note 3697099, which adds the missing authorization enforcement, across all affected product versions, including SAP S/4HANA releases 102 through 109 and the SAP WebClient UI Framework versions enumerated in the affected products list.

Impact

• Authenticated, low-privileged users can execute arbitrary SQL statements against the SAP application database, bypassing intended authorization controls.
• Full database compromise: unauthorized disclosure of confidential business, financial, and personal data; tampering with master and transactional data; and destruction or corruption of database contents.
• The changed scope (S:C) means impact extends beyond the attacker's authorized role to the entire database accessible by the application.
• High impact to confidentiality, integrity, and availability of the SAP CRM / S/4HANA system and the data it manages.

Mitigation

1. Apply SAP Security Note 3697099 to all affected systems; this is the authoritative fix that introduces the missing authorization check.
2. For SAP S/4HANA, ensure the note is applied to your specific release among versions 102, 103, 104, 105, 106, 107, 108, and 109, and update the SAP WebClient UI Framework component to the corresponding patched level.
3. Until the note is applied, restrict access to the WebClient UI Scripting Editor functionality and review authorization profiles so that only trusted administrators can reach the affected transactions.
4. Audit existing user authorizations for the Scripting Editor and generic function module execution, removing the capability from accounts that do not require it.
5. After patching, monitor database and application logs for any unauthorized SQL activity that may have occurred before remediation, and validate the integrity of critical master and financial data.

Detection

Detection centers on SAP's own security and audit infrastructure. Enable and review the SAP Security Audit Log (transaction SM19/SM20 or the RSAU framework) for use of the Scripting Editor and for generic function module (RFC) calls that are unusual for the invoking user. Because exploitation abuses a generic function module dispatch, look for accounts invoking function modules that are inconsistent with their job role, especially modules associated with dynamic SQL or direct database access. A low-privileged business user suddenly triggering administrative or database-layer function calls is a high-confidence indicator.

Monitor the database layer for anomalous SQL originating from the application connection. SAP systems issue highly structured, predictable queries; ad hoc statements such as unexpected SELECT * against sensitive tables, UPDATE/DELETE without normal application context, or DDL like DROP/ALTER are strong signals of abuse. If database auditing is available (for example, SAP HANA audit policies), create policies that capture statements executed through the application technical user and alert on high-risk operations.

At the network and application tier, inspect HTTP traffic to the WebClient UI for requests targeting the Scripting Editor endpoints with payloads containing SQL keywords or function-module names embedded in parameters that normally carry benign values. A reverse proxy or web application firewall in front of the SAP system can log these requests for review.

Review authorization-change and user-administration logs for privilege escalation or new accounts created after a suspected exploitation window, since arbitrary SQL execution could be used to manipulate user and role tables directly. Correlate any of these signals with the timeline of the patch: activity matching the above patterns before SAP Security Note 3697099 was applied should be treated as a potential compromise. Retain SAP audit logs and database audit trails for forensic analysis, and prioritize patching internet-facing or widely accessible SAP CRM / S/4HANA systems first. SAP and the NVD do not report public exploitation as of disclosure, but the combination of low required privilege and full database impact makes early detection and rapid patching critical.