CVE-2023-27497

CRITICAL

SAP Diagnostics Agent 720 - Unauthenticated Remote Code Execution via EventLogServiceCollector

Title source: llm

Description

Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely compromise confidentiality, integrity and availability of the system.

References (2)

Core 2

Core References

Permissions Required

https://launchpad.support.sap.com/#/notes/3305369

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 10.0

EPSS 0.0035

EPSS Percentile 57.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (1)

sap/diagnostics_agent 720

Published Apr 11, 2023

Tracked Since Feb 18, 2026