An authorization bypass in SAP NetWeaver AS ABAP allows low-privileged users to execute unauthorized background functions, threatening the integrity and availability of the platform.

This vulnerability allows an authenticated, low-privileged user to perform background Remote Function Calls (RFC) even when the required S_RFC authorization is missing. This represents a failure in the application's access control logic for specific RFC execution paths.

While confidentiality is not directly impacted, the CVSS score of 9.6 reflects a critical risk to system integrity and availability. An attacker could trigger unauthorized background processes that disrupt business operations or modify system configurations, leading to significant downtime and loss of trust in the system's data processing.

Immediate Action: Apply the specific patches for SAP NetWeaver AS ABAP and the ABAP Platform as detailed in the latest SAP security notes.

Proactive Monitoring: Review RFC execution logs and audit trails for successful calls made by users who lack the explicit S_RFC authorization objects.

Compensating Controls: Enforce the principle of least privilege by auditing all user roles and removing unnecessary permissions that might provide a foothold for further exploitation.

Public Exploit Available: false

This vulnerability highlights a significant gap in the SAP authorization framework. Organizations should prioritize the application of vendor-provided patches and conduct a comprehensive review of their RFC security configurations to prevent unauthorized background task execution.