CVE-2021-33672 – CVE-2021-33672 is a critical cross-site scripti... (How to Fix)

Q: What is the severity of CVE-2021-33672?

CVE-2021-33672 has a CVSS score of 9.6 (CRITICAL). CVE-2021-33672 is a critical cross-site scripting (XSS) vulnerability in SAP Contact Center's Communication Desktop component that allows remote code execution. Attackers can send malicious chat messages that execute scripts in the recipient's browser, and due to ActiveX usage, can escalate to full operating system command execution. This affects organizations using SAP Contact Center version 700.

📋 TL;DR

CVE-2021-33672 is a critical cross-site scripting (XSS) vulnerability in SAP Contact Center's Communication Desktop component that allows remote code execution. Attackers can send malicious chat messages that execute scripts in the recipient's browser, and due to ActiveX usage, can escalate to full operating system command execution. This affects organizations using SAP Contact Center version 700.

💻 Affected Systems

Products:

SAP Contact Center Communication Desktop

Versions: Version 700

Operating Systems: Windows (due to ActiveX dependency)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ActiveX to be enabled in the application, which is typical for this SAP component.

📦 What is this software?

Contact Center by Sap

View all CVEs affecting Contact Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of chat recipient's system leading to data theft, system takeover, and potential lateral movement across the network.

🟠

Likely Case

Attacker gains control of individual user workstations, steals credentials, and accesses sensitive data within the chat system's scope.

🟢

If Mitigated

Limited to chat system disruption or minor data exposure if proper network segmentation and endpoint protection are in place.

🌐 Internet-Facing: HIGH if chat functionality is exposed to external users, as unauthenticated attackers could exploit it remotely.

🏢 Internal Only: HIGH even internally, as any user with chat access could be targeted by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a chat message, which may require some level of access, but the technical complexity is low once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3073891

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3073891

Restart Required: Yes

Instructions:

1. Download and apply SAP Note 3073891 patch. 2. Restart the SAP Contact Center Communication Desktop service. 3. Verify the patch is applied by checking the component version.

🔧 Temporary Workarounds

Disable ActiveX in Communication Desktop

windows

Prevents escalation from XSS to OS command execution by disabling ActiveX controls in the application settings.

Configure via SAP Contact Center admin interface: Navigate to Security Settings > Disable ActiveX

Restrict Chat Functionality

all

Temporarily disable or limit chat features to authorized users only until patching is complete.

Use SAP Contact Center admin console to disable external chat or implement access controls

🧯 If You Can't Patch

Isolate affected systems from critical networks to limit lateral movement.
Implement strict endpoint security controls and monitor for unusual process execution.

🔍 How to Verify

Check if Vulnerable:

Check if SAP Contact Center Communication Desktop version 700 is installed and ActiveX is enabled in the configuration.

Check Version:

Use SAP transaction code SM51 or check the application's about dialog for version information.

Verify Fix Applied:

Verify that SAP Note 3073891 is applied by checking the patch status in the SAP system or confirming the component version is updated.

📡 Detection & Monitoring

Log Indicators:

Unusual chat message patterns or script tags in chat logs
Unexpected process executions from the Communication Desktop application

Network Indicators:

Suspicious outbound connections from chat client systems to unknown IPs

SIEM Query:

source="sap_chat_logs" AND message="*<script>*" OR process="cmd.exe" parent="CommunicationDesktop.exe"

📊 Metadata

CVE ID: CVE-2021-33672

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-116

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/3073891 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3073891 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33672, you might also want to check these: