high2026-07-14SAP NetWeaverCVE-2026-58233

Remote Code Execution in SAP Change and Transport System Attach Tool

SAP Change and Transport System Attach Tool (ctsattach)

Our Take

RCE in a transport system component is a meaningful risk — the CTS is the mechanism that promotes changes through your landscape, so a compromised ctsattach tool could be used to introduce malicious transports. Restrict network access immediately and patch within two weeks.

Vulnerability Detail

An insecure deserialization vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) allows an attacker with network access to the tool to send a maliciously crafted payload that triggers remote code execution on the server hosting ctsattach. The CTS Attach Tool is used for attaching external systems to the SAP Change and Transport System.

Workaround

Restrict network access to the ctsattach tool to trusted CTS infrastructure only. The tool should not be reachable from general user networks.

Patch Action

Apply SAP Note 3773304.

Affected Versions

BC-CTS-TMS-PLS — see SAP Note for specific ctsattach versions

Patch Info

CVSS Score

7.6

SAP Note

3773304

CVE

CVE-2026-58233

Published

2026-07-14

← All patches