CVE-2026-0507 - Vulnerability Details

- OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK

Description

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.

Published: 2026-01-13

Score: 8.4 High

EPSS: 1.5% Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated attacker with administrative privileges and adjacent network access can upload specially crafted content to SAP Application Server for ABAP and SAP NetWeaver RFCSDK. The server processes that content and allows execution of arbitrary operating system commands. This results in complete loss of confidentiality, integrity, and availability of the affected system.

Affected Systems

SAP Application Server for ABAP and SAP NetWeaver RFCSDK are affected. Specific product versions are not listed in the available data, so all releases with similar architecture should be reviewed for susceptibility.

Risk and Exploitability

The CVSS score is 8.4, indicating high severity. The EPSS score of 1% shows a low but non-zero likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires network connectivity to the SAP server, administrative authentication, and the ability to upload content; the attacker must then trigger the processing of that content to achieve command execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP Application Server for ABAP and SAP NetWeaver RFCSDK

unaffected

Version	Status	Constraints
`KRNL64UC 7.53`	affected	—
`NWRFCSDK 7.50`	affected	—
`KERNEL 7.53`	affected	—
`7.54`	affected	—
`7.77`	affected	—
`7.89`	affected	—
`7.93`	affected	—
`9.16`	affected	—

No data.

Vendor	Product	Confidence	Versions
Sap	Application Server	—	—
Sap	Netweaver	—	—
Sap	Netweaver Abap	—	—
Sap	Netweaver Abap Application Server	—	—
Sap	Netweaver Application Server	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the SAP security patch referenced in SAP Note 3675151 and apply any related updates to SAP NetWeaver RFCSDK.
Limit network access to the SAP Application Server for ABAP to trusted IP addresses and enforce strict firewall rules to prevent adjacent network attackers from reaching upload endpoints.
Apply the principle of least privilege to administrative accounts, ensuring that only necessary permissions are granted and that administrative actions are logged and monitored.

Generated by OpenCVE AI on April 18, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01476.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://me.sap.com/notes/3675151
https://url.sap/sapsecuritypatchday

History

Tue, 13 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Sap application Server Sap netweaver Sap netweaver Abap Sap netweaver Abap Application Server Sap netweaver Application Server
Vendors & Products		Sap Sap application Server Sap netweaver Sap netweaver Abap Sap netweaver Abap Application Server Sap netweaver Application Server

Tue, 13 Jan 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.
Title		OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK
Weaknesses		CWE-78
References		https://me.sap.com/notes/3675151 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Sap Application Server Netweaver Netweaver Abap Netweaver Abap Application Server Netweaver Application Server

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-01-13T01:15:36.687Z

Updated: 2026-02-26T15:04:48.627Z

Reserved: 2025-12-09T22:06:46.853Z

Link: CVE-2026-0507

Vulnrichment

Updated: 2026-01-13T18:31:59.912Z

NVD

Status : Deferred

Published: 2026-01-13T02:15:53.427

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0507

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object