A vulnerability identified as OS Command Injection allows an authenticated attacker with administrative privileges to run arbitrary shell commands on the SAP NetWeaver Application Server for ABAP and ABAP Platform. This flaw bypasses the system’s logging mechanism, enabling the execution of unintended OS commands without detection. The impact is primarily on integrity and availability, as malicious code can alter system state or disrupt services, while confidentiality remains unaffected. The weakness is classified as CWE‑77.

All versions of SAP NetWeaver Application Server for ABAP and ABAP Platform that are covered by this vulnerability are impacted, although specific affected releases are not listed in the advisory. Administrators should check the SAP Note 3730019 for the exact editions and build numbers that require remediation.

The CVSS score of 6.5 indicates a moderate severity, and the lack of an EPSS value means the exploit probability is not publicly quantified. The vulnerability is not recorded in CISA’s KEV catalogue. Given that the attack requires authenticated administrative access, the risk is elevated for environments where such credentials are widely available or poorly protected. Because the logger is bypassed, malicious activity may go unnoticed, increasing potential damage before detection.