CVE-2023-35874: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

CVE-2023-35874 affects SAP NetWeaver Application Server ABAP and ABAP Platform across multiple versions including KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, and KERNEL 7.93. The vulnerability was disclosed on July 10, 2023, and involves improper authentication checks for functionalities that require user identity (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 7.4 (High) according to NVD, while SAP SE rates it at 6.0 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and changed scope with low impacts on confidentiality, integrity, and availability. The weakness is categorized as CWE-306: Missing Authentication for Critical Function (NVD).

When exploited, this vulnerability allows an attacker to perform malicious actions over the network, extending the scope of impact and causing limited impacts on confidentiality, integrity, and availability of the affected systems (NVD, Cyber Security News).

SAP has released security patches to address this vulnerability. Organizations running affected versions of SAP NetWeaver Application Server ABAP and ABAP Platform should apply the available updates as detailed in SAP Security Note 3318850 (SAP Note).