Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
AnalysisAI
OS command injection in SAP NetWeaver Application Server for ABAP and ABAP Platform allows authenticated administrators to execute arbitrary shell commands on the server while bypassing audit logging. The vulnerability affects integrity and availability but not confidentiality, and requires high-privilege administrative access over the network with no user interaction. CVSS 6.5 reflects the high-privilege requirement despite severe impact potential.
Technical ContextAI
This vulnerability exploits improper neutralization of special elements used in an OS command (CWE-77) within SAP NetWeaver's ABAP/ABAP Platform component. The affected system processes user-supplied input in administrative functions without adequate validation or sanitization before passing it to the underlying operating system shell. The vulnerability specifically allows bypass of the logging mechanism, meaning executed commands leave no audit trail. SAP NetWeaver Application Server is a core enterprise application platform that runs business-critical ABAP applications, making command injection in this context particularly severe despite the authentication requirement.
RemediationAI
Apply the security patch released by SAP for this vulnerability, available through SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and documented in SAP Note 3730019. The specific patch version number is not detailed in available data - verify the exact patched version number for your NetWeaver release via the SAP Note. Until patching is possible, implement compensating controls: restrict administrative access to NetWeaver systems using role-based access control and principle of least privilege, enforce multi-factor authentication for administrator accounts to prevent credential compromise, implement real-time monitoring and alerting on OS command execution on NetWeaver application servers to detect exploitation attempts despite the logging bypass, disable or restrict any ABAP programs or modules that are not required for business operations and could expose command injection entry points, and conduct a privileged access review to identify and remediate over-provisioned administrator accounts. Note that these controls address the attack prerequisites (high-privilege access) rather than the vulnerability itself and should be considered temporary measures pending patch deployment.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29366
GHSA-8w5g-hw8f-fqqg