CVE-2026-0507
OS Command Injection in SAP ABAP Server Risks Full System Compromise
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | application_server_for_abap | * |
| sap | netweaver_rfcsdk | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection flaw in SAP Application Server for ABAP and SAP NetWeaver RFCSDK. An authenticated attacker with administrative and adjacent network access can upload specially crafted content to the server. When the application processes this content, it allows the attacker to execute arbitrary operating system commands on the server.
How can this vulnerability impact me? :
Exploitation of this vulnerability could lead to a full compromise of the system's confidentiality, integrity, and availability. This means an attacker could gain control over the system, access sensitive data, modify or delete information, and disrupt system operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could impact compliance with common standards and regulations such as GDPR and HIPAA because successful exploitation may lead to full compromise of the system's confidentiality, integrity, and availability. Such a compromise can result in unauthorized access to sensitive personal or health data, violating data protection and privacy requirements mandated by these regulations.