CVE-2024-54197
📋 TL;DR
This vulnerability in SAP NetWeaver Administrator allows authenticated attackers to perform Server-Side Request Forgery (SSRF) by enumerating internal HTTP endpoints. Attackers can potentially access internal network resources that should be restricted. Only authenticated users with access to the System Overview component are affected.
💻 Affected Systems
- SAP NetWeaver Administrator
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to sensitive internal systems, extracts confidential data from internal services, or uses the compromised SAP system as a pivot point for lateral movement within the network.
Likely Case
Attacker maps internal network structure, discovers internal services, and potentially accesses limited internal resources that shouldn't be exposed externally.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to information disclosure about internal endpoints without actual data access.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of HTTP request crafting. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3542543
Vendor Advisory: https://me.sap.com/notes/3542543
Restart Required: Yes
Instructions:
1. Download SAP Note 3542543 from SAP Support Portal. 2. Apply the security patch following SAP standard patching procedures. 3. Restart affected SAP NetWeaver instances. 4. Verify patch application through transaction SNOTE.
🔧 Temporary Workarounds
Network Segmentation
allRestrict outbound HTTP connections from SAP servers to only necessary internal services
Access Control
allLimit access to SAP NetWeaver Administrator System Overview to only authorized administrators
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP servers from sensitive internal systems
- Monitor and alert on unusual outbound HTTP requests from SAP servers to internal networks
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3542543 is applied using transaction SNOTE or verify system version against SAP Security Patch Day advisoriesCheck Version:
Use SAP transaction SM51 or SM50 to check system details and applied notesVerify Fix Applied:
Confirm SAP Note 3542543 is marked as successfully implemented in SNOTE and test SSRF attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests from SAP server to internal IP ranges
- Multiple failed HTTP connection attempts to internal services
- Requests to non-standard ports from SAP system
Network Indicators:
- HTTP traffic from SAP server to unexpected internal destinations
- Port scanning patterns originating from SAP server
SIEM Query:
source_ip=SAP_SERVER_IP AND (dest_port=80 OR dest_port=443 OR dest_port=8080) AND dest_ip=INTERNAL_SUBNET