Beware! SAP Application Interface Framework File Adapter Vulnerability Allows OS Command Execution

CVECVE-2024-21737
CVSScvssV3_1: 8.4
SourceCVE-2024-21737

The SAP Application Interface Framework File Adapter, a tool used for file transfer integration in SAP systems, was found to have a high risk vulnerability with a CVSS score of 8.4.

Researchers discovered that a privileged user could abuse a function module to traverse through different layers and directly execute operating system commands on the server. This essentially gave the user full control over the application and underlying system.

By exploiting this vulnerability, an attacker with valid credentials could retrieve sensitive data, install malware, or disrupt critical business processes and services. They would have the ability to view, modify or delete any files on the server without authorization.

All SAP Application Interface Framework File Adapter users are urged to verify their version and apply the latest updates released by SAP to patch this security hole. Regularly review and reduce privileges for accounts where possible. It is also recommended to isolate this application on its own segmented network for added protection.

Staying on top of software updates is the best way to prevent exploitation of known issues. Users should monitor the SAP security notification site for new advisories and act promptly to close vulnerabilities in their critical systems.

References