Skip to content
Auto-CTI
Back to today
NEW CRITICAL A2

CVE-2026-58233

A NVD · · CVE-2026-58233

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

CVSS
7.6
EPSS
0%

Key insight

The vulnerability requires authentication and manual processing of a malicious archive file, which limits attack surface in typical production environments but is relevant for SAP administrators and change-management workflows.

Description

CVE-2026-58233 is a deserialization vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) that allows authenticated attackers to supply a malicious archive file and trigger remote code execution. Exploitation requires a victim (typically an SAP administrator or change manager) to process the crafted file. Successful exploitation enables code execution, access to sensitive data, and system control. The CVSS profile indicates high impact on confidentiality and integrity, but low impact on availability.

Risk score

Review required 84
cvss base
76.00
kev bonus
0.00
epss bonus
0.00
poc bonus
0.00
raw before weight
76.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-8.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • CVSS_LOW_RISK High CVSS despite low-risk wording −8
Consensus penalty:
−8.0
Total penalty:
−8.0

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Persistence
Priv. Escal.
Cred. Access
Discovery
Lateral Mov.
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1211
Exploitation for Defense Evasion
Defense Evasion Attacker exploits insecure deserialization vulnerability in SAP Change and Transport System Attach Tool (ctsattach) by supplying a specially crafted archive file to trigger remote code execution low llm
T1203
Exploitation for Client Execution
Execution A specially crafted archive file is processed by ctsattach's library, triggering insecure deserialization that leads to remote code execution on the target system high llm
T1059
Command and Scripting Interpreter
Execution Successful exploitation of the deserialization vulnerability in ctsattach enables the attacker to execute arbitrary code and gain control over the system and its processes medium llm
T1005
Data from Local System
Collection Following successful RCE via the insecure deserialization vulnerability, the attacker can extract sensitive information from the compromised SAP system medium llm
T1190
Exploit Public-Facing Application
Initial Access An authenticated attacker supplies a malicious archive file to the SAP Change and Transport System Attach Tool (ctsattach), exploiting insecure deserialization to achieve remote code execution high llm
ESC