SAP NetWeaver Application Server ABAP Vulnerability: Authenticated Attacker Can Access Remote Services
CVE-2024-54198

8.5HIGH

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap
Vendor: CVE Published:; 10 December 2024

What is CVE-2024-54198?

The vulnerability in the SAP NetWeaver Application Server ABAP allows authenticated attackers to exploit crafted Remote Function Call (RFC) requests targeting restricted destinations. This exposure may lead to unauthorized access to sensitive credentials utilized by remote services. Once compromised, these credentials pose a significant risk as they can be leveraged to execute further attacks, undermining the confidentiality, integrity, and availability of the application. Organizations utilizing affected versions should prioritize applying relevant security patches to mitigate potential security risks. For additional insights and patch information, refer to SAP's official documentation.

Affected Version(s)

SAP NetWeaver Application Server ABAP KRNL64NUC 7.22

SAP NetWeaver Application Server ABAP 7.22EXT

SAP NetWeaver Application Server ABAP KRNL64UC 7.22

References

https://me.sap.com/notes/3469791

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Dec 2, 2024