CVE-2023-27497 CRITICAL

CVE-2023-27497: Multiple vulnerabilities in SAP Diagnostics Agent (EventLogServiceCollector)

Vendor Sap
Product Diagnostics Agent (EventLogServiceCollector)
Weakness CWE-306 · Missing auth
Published April 11, 2023
Last update February 7, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system.

Key dates

02Disclosure timeline

April 11, 2023 CVE published
February 7, 2025 Record updated