Severity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.
AnalysisAI
OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day.
Technical ContextAI
This is a CWE-77 OS Command Injection vulnerability affecting SAP Forecasting & Replenishment, a supply chain planning application within the SAP Business Suite. The flaw exists in a non-remote-enabled function module that improperly sanitizes user-supplied input before passing it to operating system command execution interfaces. In SAP systems, non-remote-enabled functions are typically intended for internal use only and should not be directly callable via RFC (Remote Function Call), but authenticated administrators can abuse them through direct local invocation. The vulnerability allows breaking out of the application's execution context to run arbitrary shell commands with the privileges of the SAP application server process, typically the <sid>adm operating system user which has extensive permissions within the SAP landscape.
RemediationAI
Apply the vendor-released patch documented in SAP Security Note 3732471, accessible via SAP Support Portal at https://me.sap/notes/3732471. SAP Security Notes typically provide Support Package Stack levels or individual SAP Notes containing corrected function modules that must be imported via SNOTE transaction. Organizations should follow SAP's patch deployment methodology including development/QA testing before production implementation. As a compensating control until patching, restrict administrative authorizations for SAP Forecasting & Replenishment to a minimal set of trusted users, implement separation of duties to prevent single-user administrative access, and enable SAP Security Audit Log (transaction SM19/SM20) to monitor execution of sensitive function modules. Review and restrict S_DEVELOP and S_RFC authorizations that permit direct function module debugging and execution. Monitor operating system process execution from SAP work processes using host-based intrusion detection. Note that restricting admin access may impact legitimate system administration activities and requires coordination with BASIS and functional teams.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29367
GHSA-cqhw-vpw6-ww5x