CVE-2023-27893 HIGH

CVE-2023-27893: Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)

Vendor Sap
Product Solution Manager and ABAP managed systems
Weakness CWE-94 · Code injection
Published March 14, 2023
Last update February 27, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform.  Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable.

Key dates

02Disclosure timeline

March 14, 2023 CVE published
February 27, 2025 Record updated