CVE-2023-27267 CRITICAL

CVE-2023-27267: Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge)

Vendor Sap
Product Diagnostics Agent (OSCommand Bridge)
Weakness CWE-306 · Missing auth
Published April 11, 2023
Last update February 7, 2025

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Due to missing authentication and insufficient input validation, the OSCommand Bridge of SAP Diagnostics Agent - version 720, allows an attacker with deep knowledge of the system to execute scripts on all connected Diagnostics Agents. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system.

Key dates

02Disclosure timeline

April 11, 2023 CVE published
February 7, 2025 Record updated