Cyber Resilience

CVE-2019-0344

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 14 August 2019

Published
14 August 2019
Modified
31 October 2025
KEV Added
30 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4020 97.4th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-0344 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap Commerce Cloud. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2019-0344 is an unsafe deserialization vulnerability in the virtualjdbc extension of SAP Commerce Cloud (formerly Hybris), affecting versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, and 1905. The flaw, tracked under CWE-502, allows untrusted data to be deserialized without proper validation, enabling code injection that executes with the privileges of the Hybris user account. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with low attack complexity and no required credentials or user interaction.

An unauthenticated remote attacker can send a crafted serialized object to the vulnerable extension and achieve arbitrary code execution on the target system. Successful exploitation grants the attacker the ability to run commands, access or modify data, and potentially pivot within the affected SAP environment under Hybris user rights.

SAP security notes 2786035 and associated wiki documentation provide remediation guidance, including patches that address the deserialization issue in supported releases. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

CWE(s)
KEV Date Added
30 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
commerce cloud
1808, 1811, 1905, 6.4, 6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized input before deserialization, blocking the crafted objects that enable arbitrary code execution in the virtualjdbc extension.

preventdetect

Requires integrity verification of software and data, which can detect or block unauthorized code introduced via the deserialization flaw.

detectrespond

Provides malicious-code detection mechanisms that can identify the code-execution payload resulting from successful exploitation of the unsafe deserialization.

References