CVE-2026-58233

SAP_SE · SAP Change and Transport System Attach Tool (ctsattach)

An insecure deserialization vulnerability in SAP's ctsattach tool allows authenticated attackers to execute arbitrary code via specially crafted archives.

Executive summary

SAP’s ctsattach tool contains a critical insecure deserialization vulnerability that could allow an authenticated attacker to achieve Remote Code Execution (RCE).

Vulnerability

The tool is vulnerable to CWE-502 (Deserialization of Untrusted Data), where the application processes a malicious archive file. This vulnerability requires an authenticated attacker to interact with the system, leading to potential RCE on the underlying infrastructure.

Business impact

With a CVSS score of 7.6, this vulnerability represents a significant threat to the security of SAP environments. Successful exploitation allows an attacker to gain remote code execution, granting them full control over the affected system, which could lead to total data compromise and operational disruption.

Remediation

Immediate Action: Apply the security patches provided by SAP via the official SAP Security Patch Day channels (Note 3773304).

Proactive Monitoring: Monitor system logs for unauthorized file processing activities or abnormal process execution spawned by the ctsattach utility.

Compensating Controls: Restrict access to the ctsattach tool to only essential personnel and ensure that incoming archives are scanned by security software before being processed by the system.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Organizations utilizing the SAP Change and Transport System should prioritize the application of the vendor-supplied patch. Given the potential for RCE, ensure that all systems are updated and that access control mechanisms are strictly enforced to minimize the risk of exploitation.