Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27675

CVE-2026-27675: SAP Landscape Transformation RCE Flaw

CVE-2026-27675 is a remote code execution vulnerability in SAP Landscape Transformation allowing high-privileged attackers to inject ABAP code and OS commands. This article covers technical details, affected systems, and steps.

Updated:

CVE-2026-27675 Overview

CVE-2026-27675 affects SAP Landscape Transformation (SLT). The vulnerability resides in a Remote Function Call (RFC) exposed function module. A high-privileged adversary can inject arbitrary ABAP code and operating system commands through this interface.

Exploitation requires high privileges, high attack complexity, and user interaction. Successful exploitation results in limited modification of data without attacker control over the type or scope of changes. Confidentiality and availability are not impacted, while integrity sustains a low impact. The flaw is classified under CWE-94: Improper Control of Generation of Code.

Critical Impact

An authenticated, high-privileged attacker can inject ABAP code and OS commands through an RFC-exposed function module, resulting in unauthorized modification of data within the SAP Landscape Transformation environment.

Affected Products

  • SAP Landscape Transformation (SLT)
  • RFC-exposed function modules within the SLT component
  • SAP environments where SLT is deployed for data replication and migration

Discovery Timeline

  • 2026-04-14 - CVE-2026-27675 published to NVD
  • 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-27675

Vulnerability Analysis

The vulnerability exists in a function module exposed over RFC within SAP Landscape Transformation. The module accepts input that is later passed to ABAP code generation and operating system command execution routines without adequate validation. An attacker with high privileges and the ability to invoke the affected RFC interface can supply crafted input that the module incorporates into dynamically generated ABAP statements.

The injection enables execution of attacker-supplied ABAP logic in the SAP application server context. The same flaw also permits operating system command injection, extending the attacker's reach to the underlying host. Although the code injection class typically permits significant impact, the CVSS analysis indicates limited integrity impact because the attacker cannot reliably control the kind or degree of modification produced.

User interaction is required for the exploit chain to succeed, which constrains opportunistic exploitation. The combination of high privileges and high attack complexity further narrows the attacker population to insiders or adversaries who have already compromised privileged SAP credentials.

Root Cause

The root cause is improper control of generation of code [CWE-94]. The affected function module constructs ABAP code and OS command strings from parameters received over RFC without enforcing strict input validation or safe code generation patterns.

Attack Vector

The attack vector is network-based. An adversary holding high-privileged SAP credentials invokes the RFC-exposed function module and supplies crafted parameters. With cooperating user interaction, the module evaluates the malicious payload, executing injected ABAP statements and OS commands on the SLT host.

No verified public exploit code is available for CVE-2026-27675. Technical details are documented in SAP Security Note #3723097.

Detection Methods for CVE-2026-27675

Indicators of Compromise

  • Unexpected RFC calls to SAP Landscape Transformation function modules from non-administrative origins or unusual source hosts
  • Anomalous ABAP code generation events or syntax errors logged in the SLT system trace
  • Unscheduled child processes spawned by SAP work processes (disp+work) on the SLT host
  • Modifications to SLT configuration tables or transformation rules outside change-management windows

Detection Strategies

  • Enable and review SAP Security Audit Log (SM19/SM20) for RFC function module invocations against SLT modules
  • Correlate RFC gateway logs with privileged user activity to surface high-privilege calls that include code-like parameters
  • Monitor sapgw and sapdp traffic for unusual function module names referenced by authenticated sessions
  • Inspect operating system process creation telemetry on SLT hosts for shell commands launched by SAP service accounts

Monitoring Recommendations

  • Forward SAP Security Audit Log, RFC gateway log, and host process telemetry to a centralized analytics pipeline for correlation
  • Alert on any new or modified ABAP program activation by users invoking SLT RFC modules
  • Baseline RFC call patterns for SLT and flag deviations in caller, parameter length, or function frequency

How to Mitigate CVE-2026-27675

Immediate Actions Required

  • Apply the corrective patch documented in SAP Security Note #3723097 on all SAP Landscape Transformation systems
  • Review and revoke unnecessary high-privileged authorizations that permit invocation of the affected RFC function module
  • Restrict RFC gateway access using secinfo and reginfo rules to allow only known trusted hosts
  • Audit recent SLT activity for signs of unauthorized ABAP changes or OS command execution

Patch Information

SAP released fixes as part of its monthly Security Patch Day. Administrators should consult SAP Security Note #3723097 and the SAP Security Patch Day Announcement for version-specific guidance and download instructions.

Workarounds

  • Limit RFC connectivity to SLT systems through network segmentation and firewall rules
  • Apply the principle of least privilege to SAP roles that grant access to SLT transactions and RFC modules
  • Enforce strong multi-factor authentication for accounts with S_RFC authorizations that target SLT function groups
  • Disable or restrict the affected function module until the SAP Security Note is applied if operationally feasible
bash
# Configuration example: restrict RFC gateway registration in secinfo/reginfo
# secinfo entry to permit only trusted application servers to start external programs
P TP=* USER=* USER-HOST=trusted-app-host HOST=local

# reginfo entry to restrict external program registration
P TP=trusted_program HOST=trusted-app-host ACCESS=internal,local

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.