Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Requires valid low-privilege credentials (PR:L) and a victim to process the crafted archive (UI:R); deserialization gives high C/I with limited availability impact (A:L).
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
SAP Change and Transport System Attach Tool (ctsattach) allows an authenticated attacker to supply a specially crafted archive file which, when processed by the application�s library, can trigger insecure deserialization and lead to remote code execution (RCE) on the system. Successful exploitation requires a victim to process the malicious archive, enabling the attacker to execute the RCE and extract sensitive information and gain control over the system and its processes. This vulnerability has a high impact on confidentiality and integrity of the data, with a low impact on the availability of the system.
AnalysisAI
Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold valid low-privilege credentials on the SAP system (PR:L - not anonymous), and critically requires a victim to actually process the attacker's crafted archive file through the ctsattach tool (UI:R), meaning it does not fire automatically. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L, base 7.6 High) indicates a network-reachable but not fully unauthenticated attack: PR:L means the attacker needs valid low-level credentials, and UI:R means a victim must actively process the malicious archive, so this is not a wormable, zero-click flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged but valid access to the SAP landscape crafts a malicious transport/archive file containing a hostile serialized object graph and stages it where an administrator will pick it up. When a victim runs ctsattach to process that archive, the tool's library deserializes the attacker's data and executes arbitrary code on the host, giving the attacker read access to sensitive data and control over system processes. … |
| Remediation | Apply the fix referenced in SAP Security Note 3773304 (https://me.sap.com/notes/3773304), released via SAP Security Patch Day (https://url.sap/sapsecuritypatchday); the note requires SAP authentication to view exact patched versions, so retrieve and apply the corresponding SAP Basis/support-package or patch level for your release rather than an invented version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify and inventory all SAP systems running ctsattach and document current versions; contact SAP Support to confirm exposure and request patch availability timeline. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43596
GHSA-hfjv-fqqx-2hxw