CVE-2026-27675

Vulnerability

Details

CVE-2026-27675 exists in an RFC-exposed function module within SAP Landscape Transformation [1]. The root cause is insufficient sanitization of input passed to the module, enabling a high-privileged adversary to inject arbitrary ABAP code and operating system commands. The official description notes that the attacker lacks control over the kind or degree of modification, limiting the exploit's flexibility [1].

Attack

Path

To exploit the vulnerability, an attacker must already possess high privileges within the SAP system and have network access to the RFC interface. The attack requires no user interaction, but the prerequisite of high privileges significantly reduces the likelihood of exploitation in well-configured environments. The CVSS v3 score of 2.0 reflects these constraints.

Impact

Successful exploitation allows the attacker to alter certain information within the SAP system, impacting integrity. However, confidentiality and availability remain unaffected. The low integrity impact (as defined by CVSS 2.0/3.0) means only limited data can be modified, and the attacker cannot precisely determine what changes occur [1].

Mitigation

SAP recommends applying the security patch delivered through the regular SAP Security Patch Day process, specifically the correction referenced in SAP Security Notes [1]. Administrators should review and apply the note for SAP Landscape Transformation to close the vulnerability. No workarounds are documented; patching is the primary remediation.