CVE-2016-7435

Name of the Vulnerable Software and Affected Versions SAP Netweaver version 7.40 SP 12

Description The issue allows remote authenticated users with certain permissions to execute arbitrary commands. This is achieved through vectors involving a CALL 'SYSTEM' statement in the SCTC subpackage, specifically in the (1) SCTC REFRESH EXPORT TAB COMP, (2) SCTC REFRESH CHECK ENV, and (3) SCTC TMS MAINTAIN ALOG functions.

Recommendations For SAP Netweaver version 7.40 SP 12, consider restricting access to the SCTC subpackage functions, specifically SCTC REFRESH EXPORT TAB COMP, SCTC REFRESH CHECK ENV, and SCTC TMS MAINTAIN ALOG, to minimize the risk of exploitation. As a temporary workaround, consider disabling the CALL 'SYSTEM' statement in these functions until a patch is available.