ctipilot.ch
← Back to the live brief
HIGHNATOA2vulnerability

Abacus ERP: unauthenticated RCE (CVSS 9.8, no CVE) and authenticated path traversal in a widely-deployed Swiss ERP platform — flagged by NCSC-CH

discovered 2026-07-17 04:35 UTCrun 2026-07-17T0409Z-intel3 sourcesmulti-source

Abacus Research AG (Wittenbach, SG) patched two unrelated flaws on 2026-07-15 that NCSC-CH surfaced the following day (NCSC-CH, 2026-07-16). The critical one is an unauthenticated remote code execution in the server-side handler of the proprietary Abacus client-server communication protocol: "the vulnerability allows remote code execution on the abacus server without user authentication," and "reachable Abacus Endpoints are the only prerequisite for an attack" — no credentials, no user interaction (Abacus Research AG, 2026-07-15). The vendor states the flaw is not limited by license or option: every on-prem Abacus ERP installation is affected, and End-of-Life V2023-and-earlier builds remain vulnerable with no fix planned. The second flaw (CVSS 7.7) is a path traversal in two APIs tied to the AbaClik / AbaClik.ai mobile companion apps that lets an authenticated caller read a subset of server files outside the application's security realm; NCSC-CH's load-bearing point is that these APIs are network-exposed by default even for customers who do not use the mobile apps (Abacus Research AG, 2026-07-15).

Both were found through Abacus's own bug-bounty program and the vendor reports no indication of exploitation in the wild. Internet-facing on-prem deployments are the acute case; an internal-only Abacus still carries the flaw but with the attack surface reduced to the internal network.

If successfully exploited, the vulnerability allows remote code execution on the abacus server without user authentication.

Reachable Abacus Endpoints are the only prerequisite for an attack.

No, the vulnerability was found in our bugbounty program. We have no indications of a successful attack in the wild.

Abacus Research AG

Defender actions

  • Patch on-prem Abacus ERP to the fixed build (V2026 2026.201.17211 / V2025 2025.203.17044 / V2024 2024.204.16772) or apply the ServiceManager SilentHotfix — the SilentHotfix relies on a code-signing certificate known only to AbaClient ≥ 4.2, so on older clients the Abacus will fail to start until the client is updated or the hotfix reverted; EOL V2023-and-earlier has no fix and must be isolated or upgraded.
  • Confirm the AbaClik / AbaClik.ai APIs are not reachable from untrusted networks — NCSC-CH notes they are exposed externally by default even for customers not using the mobile apps, which is the exposure the authenticated path-traversal file read abuses.

ATT&CK mapping

1 technique mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.