CVE-2026-0507

High

Published: 13 January 2026

Published

13 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0148 81.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application,…

this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly addresses the insufficient input validation that enables the OS command injection by requiring validation of uploaded content before processing.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely application of SAP patches specified in the advisory, remediating the specific flaw causing the command injection vulnerability.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts the types and formats of uploaded content to known safe inputs, mitigating the ability to upload specially crafted malicious payloads.

Security SummaryAI

CVE-2026-0507 is an OS Command Injection vulnerability (CWE-78) affecting SAP Application Server for ABAP and SAP NetWeaver RFCSDK. Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The flaw arises from insufficient input validation, allowing specially crafted content to be processed by the application and trigger arbitrary operating system command execution.

An authenticated attacker with administrative privileges and adjacent network access can exploit this vulnerability by uploading malicious content to the server. If the application processes this content, the attacker achieves remote code execution, potentially leading to full compromise of the system's confidentiality, integrity, and availability.

SAP advisories provide mitigation details, including patches available via SAP Security Patch Day at https://url.sap/sapsecuritypatchday and specific guidance in SAP Note 3675151 at https://me.sap.com/notes/3675151. Security practitioners should apply these updates promptly to affected systems.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection vulnerability directly enables exploitation for privilege escalation (T1068) from application admin to OS RCE and facilitates abuse of command and scripting interpreters (T1059) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://me.sap.com/notes/3675151
cna@sap.com
https://url.sap/sapsecuritypatchday
cna@sap.com