Cyber Resilience

CVE-2026-40135

MediumRCEUpdated

Published: 12 May 2026

Published
12 May 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0140 69.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40135 is a medium-severity Command Injection (CWE-77) vulnerability in Sap Netweaver Application Server Abap. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows…

more

the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1690 Prevent Command History Logging Defense Impairment
Adversaries may impair command history logging to hide commands they run on a compromised system.
Why these techniques?

OS command injection directly enables shell command execution (T1059); built-in bypass of logging mechanism facilitates impairing command history logging (T1562.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

sap
netweaver application server abap
700, 701, 702, 731, 740

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References