CVE-2026-27675 Overview
CVE-2026-27675 is a Code Injection vulnerability affecting SAP Landscape Transformation. The vulnerability exists in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. While the attack requires significant access and user interaction, successful exploitation could result in unauthorized modification of system information.
Critical Impact
High-privileged attackers can inject arbitrary ABAP code and OS commands through an RFC-exposed function module, leading to integrity compromise of SAP systems.
Affected Products
- SAP Landscape Transformation
Discovery Timeline
- April 14, 2026 - CVE-2026-27675 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27675
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw exists within an RFC-exposed function module in SAP Landscape Transformation that fails to properly validate or sanitize input before processing. This improper input handling allows an authenticated attacker with high privileges to inject malicious ABAP code or operating system commands.
The exploitation requires network access, high attack complexity, high privileges, and user interaction. Due to the combination of these restrictive preconditions, the practical exploitability is limited. When successfully exploited, the vulnerability impacts system integrity at a low level, allowing the attacker to modify some information, though the attacker does not have control over the kind or degree of modification. Confidentiality and availability are not impacted by this vulnerability.
Root Cause
The root cause of CVE-2026-27675 lies in inadequate input validation within an RFC-exposed function module in SAP Landscape Transformation. The function module fails to properly sanitize user-supplied input before incorporating it into dynamically generated ABAP code or system commands. This lack of proper input validation allows specially crafted input to be interpreted as executable code rather than data, enabling code injection attacks.
Attack Vector
The attack vector for this vulnerability is network-based, targeting RFC-enabled function modules in SAP Landscape Transformation. An attacker requires:
- Network access to the target SAP system
- High-privileged authentication to the system
- User interaction as part of the attack chain
The attacker must craft malicious input designed to escape the expected data context and inject arbitrary ABAP code or operating system commands. The RFC interface serves as the entry point for delivering the malicious payload to the vulnerable function module. Due to the high privileges required and the need for user interaction, this attack would typically be executed by an insider threat or through compromised administrative credentials.
Detection Methods for CVE-2026-27675
Indicators of Compromise
- Unusual RFC calls to SAP Landscape Transformation function modules from unexpected sources
- Anomalous ABAP execution patterns or unexpected dynamic code generation
- System logs showing unauthorized command execution attempts
- Unexpected modifications to system configuration or data without corresponding change requests
Detection Strategies
- Monitor RFC gateway logs for suspicious function module calls, particularly those with unusual parameter patterns
- Implement SAP Security Audit Log (SAL) monitoring for code injection indicators and dynamic program generation
- Deploy SentinelOne Singularity to detect anomalous process behavior on SAP application servers
- Review SAP System Log (SM21) for unexpected ABAP runtime errors or execution anomalies
Monitoring Recommendations
- Enable detailed RFC tracing on SAP Landscape Transformation systems during the patching window
- Configure alerts for any dynamic ABAP code generation or INSERT REPORT statements
- Monitor for OS command execution originating from SAP application server processes
- Implement network monitoring for RFC traffic patterns to and from SAP Landscape Transformation
How to Mitigate CVE-2026-27675
Immediate Actions Required
- Apply the security patch documented in SAP Note #3723097 immediately
- Review and restrict RFC authorization profiles to minimize the number of users with high privileges
- Audit existing user accounts with RFC access to SAP Landscape Transformation function modules
- Enable enhanced logging on affected SAP systems to detect potential exploitation attempts
Patch Information
SAP has released a security patch addressing this vulnerability. Organizations should review SAP Note #3723097 for detailed patching instructions and apply the fix according to their change management procedures. Additional information is available on the SAP Security Patch Day portal.
Workarounds
- Restrict RFC access to SAP Landscape Transformation function modules to only essential users and systems
- Implement network segmentation to limit direct access to SAP application servers from untrusted networks
- Disable or restrict the vulnerable RFC-exposed function module if it is not business-critical
- Apply the principle of least privilege to reduce the number of high-privileged accounts
# SAP RFC Gateway ACL Configuration Example
# Restrict RFC connections in secinfo file
# Add to /usr/sap/<SID>/DVEBMGS<NR>/data/secinfo
# Deny untrusted hosts from accessing LT function modules
D * * LT_* *
P trusted_host.domain.com SAPServiceUser LT_* *
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
