A critical vulnerability has been identified in SAP Landscape Transformation, assigned CVE-2026-0491 with a CVSS score of 9.1. This flaw allows an attacker who already has administrative privileges to inject and execute arbitrary code or operating system commands, effectively creating a backdoor. Successful exploitation could lead to a complete compromise of the affected SAP system, jeopardizing sensitive data and critical business operations.

This vulnerability exists within a function module exposed via Remote Function Call (RFC) in SAP Landscape Transformation. An attacker with administrative credentials can call this vulnerable function module and pass a specially crafted payload. The flaw fails to properly sanitize the input, allowing the injection of arbitrary ABAP code or OS commands which are then executed on the server, bypassing standard authorization checks and logging mechanisms.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation grants an attacker complete control over the SAP system, posing a severe risk to the business. Potential consequences include theft of sensitive corporate data (financial records, customer information, intellectual property), manipulation or corruption of critical business data, and disruption of essential services leading to operational downtime. The vulnerability's nature as a backdoor could allow for persistent, undetected access, amplifying the potential for financial loss, regulatory penalties, and reputational damage.

Immediate Action: Apply the security patches released by SAP for SAP Landscape Transformation across all affected systems immediately. Prioritize patching for internet-facing or business-critical systems. After patching, it is crucial to review system logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of RFC traffic, specifically looking for unusual or unauthorized calls to function modules from administrative accounts. Monitor SAP and OS-level security logs for suspicious activities, such as unexpected processes being spawned by SAP services or unusual file modifications. Configure alerts for failed and successful logon attempts by high-privilege users outside of normal business hours.

Compensating Controls: If patching cannot be immediately deployed, implement the following controls:

• Restrict network access to RFC ports from untrusted networks and hosts.
• Enforce strict access control lists (ACLs) on the specific vulnerable RFC function module to limit its execution to only essential, trusted users and systems.
• Increase the scrutiny and monitoring of all activities performed by users with administrative privileges.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for full system compromise, this vulnerability requires immediate attention. We strongly recommend that the organization prioritize the deployment of the vendor-supplied patches across all affected SAP environments. Although the vulnerability requires pre-existing administrative credentials, it poses a significant risk from insider threats or in scenarios where an attacker has already gained an initial foothold. The potential for this flaw to be used as a persistent backdoor makes swift remediation essential to protect the confidentiality, integrity, and availability of the organization's critical assets.