CVE-2026-58233
A NVD · · CVE-2026-58233
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- CVSS
- 7.6
- EPSS
- 0%
Key insight
The vulnerability requires authentication and manual processing of a malicious archive file, which limits attack surface in typical production environments but is relevant for SAP administrators and change-management workflows.
Description
CVE-2026-58233 is a deserialization vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) that allows authenticated attackers to supply a malicious archive file and trigger remote code execution. Exploitation requires a victim (typically an SAP administrator or change manager) to process the crafted file. Successful exploitation enables code execution, access to sensitive data, and system control. The CVSS profile indicates high impact on confidentiality and integrity, but low impact on availability.
Risk score
- cvss base
- 76.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 76.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -8.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
CVSS_LOW_RISKHigh CVSS despite low-risk wording −8
- Consensus penalty:
- −8.0
- Total penalty:
- −8.0
MITRE ATT&CK mapping
5 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1211 Exploitation for Defense Evasion | Defense Evasion | Attacker exploits insecure deserialization vulnerability in SAP Change and Transport System Attach Tool (ctsattach) by supplying a specially crafted archive file to trigger remote code execution | low | llm |
| T1203 Exploitation for Client Execution | Execution | A specially crafted archive file is processed by ctsattach's library, triggering insecure deserialization that leads to remote code execution on the target system | high | llm |
| T1059 Command and Scripting Interpreter | Execution | Successful exploitation of the deserialization vulnerability in ctsattach enables the attacker to execute arbitrary code and gain control over the system and its processes | medium | llm |
| T1005 Data from Local System | Collection | Following successful RCE via the insecure deserialization vulnerability, the attacker can extract sensitive information from the compromised SAP system | medium | llm |
| T1190 Exploit Public-Facing Application | Initial Access | An authenticated attacker supplies a malicious archive file to the SAP Change and Transport System Attach Tool (ctsattach), exploiting insecure deserialization to achieve remote code execution | high | llm |