Skip to main content

SAP Forecasting & Replenishment EUVDEUVD-2026-29367

| CVE-2026-34259 HIGH
Command Injection (CWE-77)
2026-05-12 sap GHSA-cqhw-vpw6-ww5x
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:16 vuln.today
CVE Published
May 12, 2026 - 02:20 nvd
HIGH 8.2

DescriptionCVE.org

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.

AnalysisAI

OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day.

Technical ContextAI

This is a CWE-77 OS Command Injection vulnerability affecting SAP Forecasting & Replenishment, a supply chain planning application within the SAP Business Suite. The flaw exists in a non-remote-enabled function module that improperly sanitizes user-supplied input before passing it to operating system command execution interfaces. In SAP systems, non-remote-enabled functions are typically intended for internal use only and should not be directly callable via RFC (Remote Function Call), but authenticated administrators can abuse them through direct local invocation. The vulnerability allows breaking out of the application's execution context to run arbitrary shell commands with the privileges of the SAP application server process, typically the <sid>adm operating system user which has extensive permissions within the SAP landscape.

RemediationAI

Apply the vendor-released patch documented in SAP Security Note 3732471, accessible via SAP Support Portal at https://me.sap/notes/3732471. SAP Security Notes typically provide Support Package Stack levels or individual SAP Notes containing corrected function modules that must be imported via SNOTE transaction. Organizations should follow SAP's patch deployment methodology including development/QA testing before production implementation. As a compensating control until patching, restrict administrative authorizations for SAP Forecasting & Replenishment to a minimal set of trusted users, implement separation of duties to prevent single-user administrative access, and enable SAP Security Audit Log (transaction SM19/SM20) to monitor execution of sensitive function modules. Review and restrict S_DEVELOP and S_RFC authorizations that permit direct function module debugging and execution. Monitor operating system process execution from SAP work processes using host-based intrusion detection. Note that restricting admin access may impact legitimate system administration activities and requires coordination with BASIS and functional teams.

Share

EUVD-2026-29367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy