SAS Statement Regarding Remote Code Execution Vulnerability in SAS® Viya®

Reference Name: Remote Code Execution Vulnerability in SAS® Viya®
Severity: Critical
Status: SAS Hot Fixes Are Available


  • 9-30-2019 – New hot fixes are available for SAS Viya


An authenticated SAS user might have the ability to execute system commands on the host server. An unauthenticated user cannot exploit this issue.


The SAS Viya authorization service contains a remote code execution vulnerability via user-configurable conditional rules.


See SAS Note 64766 to access the hot fix for this issue.

Security Bulletins Icon

Security Bulletins

View other security bulletins, published as part of our formal PSIRT process.

Technical Support Icon

Technical Support

Get world-class technical support via our support track system.

Samples & SAS Notes Icon

Samples & SAS Notes

Search our extensive Knowledge Base for code samples and SAS Notes.

Back to Top