Skip to main content

SAP ctsattach CVE-2026-58233

| EUVDEUVD-2026-43596 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 sap GHSA-hfjv-fqqx-2hxw
7.6
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
vuln.today AI
7.6 HIGH

Requires valid low-privilege credentials (PR:L) and a victim to process the crafted archive (UI:R); deserialization gives high C/I with limited availability impact (A:L).

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 01:18 vuln.today
CVE Published
Jul 14, 2026 - 00:21 cve.org
HIGH 7.6

DescriptionCVE.org

SAP Change and Transport System Attach Tool (ctsattach) allows an authenticated attacker to supply a specially crafted archive file which, when processed by the application�s library, can trigger insecure deserialization and lead to remote code execution (RCE) on the system. Successful exploitation requires a victim to process the malicious archive, enabling the attacker to execute the RCE and extract sensitive information and gain control over the system and its processes. This vulnerability has a high impact on confidentiality and integrity of the data, with a low impact on the availability of the system.

AnalysisAI

Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged SAP access
Delivery
Craft malicious archive with hostile serialized objects
Exploit
Stage archive for administrator pickup
Execution
Victim processes archive via ctsattach
Persist
Insecure deserialization triggers code execution
Impact
Read sensitive data and control host processes

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold valid low-privilege credentials on the SAP system (PR:L - not anonymous), and critically requires a victim to actually process the attacker's crafted archive file through the ctsattach tool (UI:R), meaning it does not fire automatically. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L, base 7.6 High) indicates a network-reachable but not fully unauthenticated attack: PR:L means the attacker needs valid low-level credentials, and UI:R means a victim must actively process the malicious archive, so this is not a wormable, zero-click flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged but valid access to the SAP landscape crafts a malicious transport/archive file containing a hostile serialized object graph and stages it where an administrator will pick it up. When a victim runs ctsattach to process that archive, the tool's library deserializes the attacker's data and executes arbitrary code on the host, giving the attacker read access to sensitive data and control over system processes. …
Remediation Apply the fix referenced in SAP Security Note 3773304 (https://me.sap.com/notes/3773304), released via SAP Security Patch Day (https://url.sap/sapsecuritypatchday); the note requires SAP authentication to view exact patched versions, so retrieve and apply the corresponding SAP Basis/support-package or patch level for your release rather than an invented version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all SAP systems running ctsattach and document current versions; contact SAP Support to confirm exposure and request patch availability timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy