Description
SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.
Published: 2026-04-14
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Low integrity impact
Action: Patch
AI Analysis

Impact

An RFC‑exposed function module in SAP Landscape Transformation allows a high privileged user to inject arbitrary ABAP code and operating‑system commands. The injected code can alter system behavior, but the attacker cannot fully control what changes occur; the result is limited primarily to integrity with no direct impact on confidentiality or availability.

Affected Systems

The vulnerability applies to the SAP Landscape Transformation product from SAP SE. No specific product versions are listed, so administrators should verify whether their installations are covered by this issue.

Risk and Exploitability

The CVSS score of 2 indicates a low severity assessment. EPSS information is not available and the vulnerability is not in the CISA KEV catalog. The attack vector is inferred to be a remote interaction via the exposed RFC function, requiring a high‑privileged account. The combination of low severity and high privilege requirement leads to a low overall risk, yet the availability of an exploitation path warrants patching to prevent potential integrity violations.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch or update referenced in SAP Note 3723097 to all affected SAP Landscape Transformation instances.
  • If a patch is not yet available, restrict the vulnerable RFC function module to trusted users and enforce network segmentation to limit exposure.
  • Monitor ABAP execution logs and other system activity to detect abnormal code execution or unauthorized changes.

Generated by OpenCVE AI on April 14, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap landscape Transformation
Vendors & Products Sap
Sap landscape Transformation

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.
Title Code Injection vulnerability in SAP Landscape Transformation
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Sap Landscape Transformation
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:18.764Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27675

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:18.783Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:05.823

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-27675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:27Z

Weaknesses