SAP AppSrv ABAP OS Command Injection via RFC SDK
CVE-2026-0507 Published on January 13, 2026
OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK
Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the systems confidentiality, integrity, and availability.
Vulnerability Analysis
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-0507 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-0507
Want to know whenever a new CVE is published for SAP NetWeaver? stack.watch will email you.
Affected Versions
SAP_SE SAP Application Server for ABAP and SAP NetWeaver RFCSDK:- Version KRNL64UC 7.53 is affected.
- Version NWRFCSDK 7.50 is affected.
- Version KERNEL 7.53 is affected.
- Version 7.54 is affected.
- Version 7.77 is affected.
- Version 7.89 is affected.
- Version 7.93 is affected.
- Version 9.16 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.