CVE-2026-0507
Published: 13 January 2026
Summary
CVE-2026-0507 is a high-severity OS Command Injection (CWE-78) vulnerability in Sap (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0507 is an OS command injection vulnerability, tracked under CWE-78, that affects SAP Application Server for ABAP and SAP NetWeaver RFCSDK. An authenticated attacker with administrative privileges and adjacent network access can upload specially crafted content that, when processed by the application, results in execution of arbitrary operating system commands and full compromise of system confidentiality, integrity, and availability. The issue carries a CVSS 3.1 score of 8.4.
An attacker positioned on an adjacent network who already possesses administrative credentials can supply malicious content to the server; successful processing of that content grants the ability to run arbitrary OS commands, enabling complete control over the affected SAP system.
SAP has published mitigation guidance in note 3675151 and addressed the issue as part of its security patch day release cycle. The associated EPSS score remains low, with a current value of 0.0138 and a recorded peak of 0.0184.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2380
Vulnerability details
Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application,…
more
this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability directly enables exploitation for privilege escalation (T1068) from application admin to OS RCE and facilitates abuse of command and scripting interpreters (T1059) for arbitrary OS command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the insufficient input validation that enables the OS command injection by requiring validation of uploaded content before processing.
SI-2 ensures timely application of SAP patches specified in the advisory, remediating the specific flaw causing the command injection vulnerability.
SI-9 restricts the types and formats of uploaded content to known safe inputs, mitigating the ability to upload specially crafted malicious payloads.