Sap · Sap Netweaver · CVE-2016-3635
**Name of the Vulnerable Software and Affected Versions**
SAP Netweaver version 7.4
**Description**
The issue allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list. This can lead to the execution of arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly.
**Recommendations**
For SAP Netweaver version 7.4, apply the fix provided in SAP Security Note 2139366 to resolve the issue.