The vulnerability is a code injection flaw (CWE‑94) in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An attacker who authenticates to the system can craft a payload that the application processes and forwards to users subscribed to a channel. When that payload is delivered, it can be executed, enabling the attacker to run arbitrary code on the accounts of those users. The impact is limited to the integrity of the affected accounts; there is no direct threat to confidentiality or system availability.

SAP Application Server ABAP for SAP NetWeaver and ABAP Platform are affected. Specific vulnerable versions are not listed in the data; the patch referencing SAP Note 3735359 applies to the impacted releases.

The CVSS score of 4.3 indicates a moderate severity, with no listed KEV exposure and an unavailable EPSS score suggesting limited observed exploitation. The only prerequisite for exploitation is that the attacker authenticates to the SAP system and sends a crafted channel payload. Because the flaw requires legitimate credentials, the likely attack vector is an authenticated user submitting malicious input through the application’s channel interface. As the vulnerability only allows arbitrary code execution for other users and not the authenticated attacker themselves, the overall risk to the system is considered moderate but non‑zero.