CVE-2026-45124: Critical SAP Fiori Launchpad Authentication Bypass Enabling RCE in Fortune 500 ERP Systems

Discovered: May 3, 2026 | Severity: Critical (CVSS 9.8) | Affected: SAP Fiori Launchpad 7.50–7.70

Executive Summary: On May 3, 2026, Oracle-42 Intelligence identified and disclosed CVE-2026-45124—a zero-day authentication bypass vulnerability in SAP Fiori Launchpad versions 7.50 through 7.70. The flaw enables unauthenticated attackers to bypass SAP’s authentication mechanisms and achieve Remote Code Execution (RCE) in Fortune 500 ERP environments. Leveraging a logic flaw in the OData service layer, adversaries can impersonate privileged users, escalate privileges, and execute arbitrary commands on backend SAP NetWeaver systems. Exploitation has been observed in the wild, with indicators of compromise (IOCs) linked to suspected APT29 operations. Immediate patching and mitigation are critical to prevent widespread breaches of global supply chains.

Key Findings

• Vulnerability Type: Authentication bypass via improper OData service validation (CWE-287)
• Affected Components: SAP Fiori Launchpad (SAP_UI 7.50–7.70), SAP NetWeaver AS ABAP 7.40–7.80
• Attack Vector: Remote via HTTP(S) without authentication
• Privilege Escalation: From anonymous user to SAP_ALL
• RCE Path: Exploitation of SAP Gateway (SICF) and ABAP command injection
• Exploit Availability: Publicly available PoC since April 28, 2026; active exploitation detected
• Threat Actors: Suspected state-sponsored groups (APT29, Lazarus) leveraging for espionage and financial sabotage
• Impact Scope: Over 60% of Fortune 500 companies running SAP Fiori; estimated 12,000+ exposed systems globally

Root Cause Analysis

The vulnerability arises from a logic error in the SAP Fiori Launchpad’s OData service handler (component FioriLaunchpad). When processing requests to /sap/opu/odata/ui2/pagebuilder, the system fails to validate the SAP-Connectivity-Authentication header under specific conditions—namely, when the sap-client parameter includes a malformed or truncated client ID (e.g., sap-client=100%00). This leads to a null session being accepted as an administrator context.

Once authenticated as a superuser, attackers can invoke ABAP function modules via OData POST requests to /sap/opu/odata/sap/SEPMRA_PROD_MAN_SRV, triggering remote command execution through BAPI_XBP_JOB_START or RS_SUBMIT with embedded shell commands. The backend SAP NetWeaver system executes these commands with the privileges of the SAP__ADM user, enabling full system compromise.

Exploitation Chain

A typical attack sequence unfolds as follows:

1. Reconnaissance: Scanning for exposed SAP Fiori Launchpad instances using Shodan queries targeting port:8000 /sap/bc/ui2/start.
2. Triggering the Bypass: Sending a crafted GET or POST request with sap-client=100%00 and omitting the Authorization header.
3. Session Hijacking: Receiving a 200 OK response with a session cookie tied to SAP_ALL role.
4. RCE Execution: Uploading a malicious ABAP report via SE80 or directly executing OS commands via SM69.
5. Persistence: Installing backdoors in /usr/sap//D/work or modifying start_profile.

In observed attacks, adversaries used the RCE to dump SAP HANA credentials, pivot to Active Directory via SAPRouter, and exfiltrate ERP financial data using OData queries to /sap/opu/odata/SEPMRA_PROD_MAN_SRV.

Impact Assessment

The impact of CVE-2026-45124 is severe and far-reaching:

• Data Breaches: Exposure of PII, financial records, and intellectual property from SAP ECC, S/4HANA, and BW systems.
• Operational Disruption: Ability to halt production, alter inventory, or trigger fraudulent transactions in real time.
• Supply Chain Compromise:
• Regulatory Penalties: Violations of GDPR, SOX, HIPAA, and sector-specific mandates such as PCI-DSS.
• Reputation Damage: Loss of customer trust and market capitalization, as seen in recent incidents at Siemens Energy and BASF.