CVE-2026-24317 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting SAP GUI for Windows version BC-FES-GUI 8.00 when the GuiXT feature is enabled. The vulnerability arises because SAP GUI allows DLL files to be loaded from arbitrary directories within the application environment. An attacker, without authentication, can exploit this by persuading a victim user to place a malicious DLL file into one of these directories. When SAP GUI loads the DLL, the malicious code executes in the context of the victim user, potentially leading to unauthorized code execution. The attack requires user interaction, specifically the victim placing the malicious DLL, which limits the ease of exploitation. The impact on confidentiality, integrity, and availability is considered low, as the attacker gains the same privileges as the user and does not directly compromise system-wide security or data confidentiality. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is rated medium severity with a CVSS 3.1 score of 5.0, reflecting network attack vector, high attack complexity, no privileges required, user interaction required, and low impact on confidentiality, integrity, and availability.

The primary impact of this vulnerability is the potential execution of arbitrary code within the context of the victim user. This can lead to unauthorized actions such as data manipulation, installation of malware, or lateral movement within the victim's environment. However, since the attack requires user interaction and the privileges of the user account, the overall impact on enterprise-wide confidentiality, integrity, and availability is limited. Organizations relying heavily on SAP GUI with active GuiXT, especially those with users having elevated privileges, could face increased risk of targeted attacks or malware persistence. The vulnerability could be leveraged as a foothold in a multi-stage attack chain, particularly in environments where SAP GUI is widely used for critical business processes.

To mitigate this vulnerability, organizations should: 1) Restrict and monitor directories from which SAP GUI loads DLLs, ensuring only trusted paths are used. 2) Educate users about the risks of placing untrusted files in application directories and the dangers of social engineering attempts to drop malicious DLLs. 3) Disable the GuiXT feature if it is not required, reducing the attack surface. 4) Implement application whitelisting to prevent unauthorized DLLs from loading. 5) Monitor SAP GUI usage and file system changes for suspicious activity. 6) Apply SAP security patches promptly once they become available. 7) Employ endpoint detection and response (EDR) solutions to detect anomalous DLL loading or execution behaviors. 8) Use least privilege principles to limit user rights, minimizing the impact of code execution in user context.