OS Command Injection Vulnerability in SAP Application Server for ABAP and NetWeaver RFCSDK
CVE-2026-0507

8.4HIGH

Key Information:

Vendor: SAP
Status: SAP Application Server For Abap And SAP Netweaver Rfcsdk
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-0507?

An OS Command Injection vulnerability exists in the SAP Application Server for ABAP and SAP NetWeaver RFCSDK. This flaw allows authenticated attackers with administrative privileges and adjacent network access to upload specially crafted content to the server. If this content is processed by the application, it may lead to the execution of arbitrary operating system commands. This can potentially compromise the system's confidentiality, integrity, and availability, presenting a significant risk to the organization's overall security posture.

Affected Version(s)

SAP Application Server for ABAP and SAP NetWeaver RFCSDK KRNL64UC 7.53

SAP Application Server for ABAP and SAP NetWeaver RFCSDK NWRFCSDK 7.50

SAP Application Server for ABAP and SAP NetWeaver RFCSDK KERNEL 7.53

References

https://me.sap.com/notes/3675151

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Dec 9, 2025

JSON