SAP Gateway Remote Command Execution

Added: 05/07/2019

Background

SAP Gateway is a development framework, which allows non-SAP applications to communicate with SAP applications.

Problem

SAP Gateway behavior depends on two parameters, acl_mode and sim_mode. If SAP Gateway access control lists (ACLs) are configured acl_mode=0, anonymous users are permitted to run operating system commands.

Resolution

CISA recommends administrators of SAP systems to:

References

https://www.us-cert.gov/ncas/alerts/AA19-122A

Limitations


Back to exploit index