A critical vulnerability in SAP NetWeaver Application Server has become the latest target for Chinese state-sponsored threat actors, with researchers confirming active exploitation in the wild.
The zero-day vulnerability, tracked as CVE-2023-7629, affects multiple versions of SAP NetWeaver AS ABAP and enables attackers to gain remote code execution without authentication.
Security experts warn that thousands of internet-facing SAP systems remain vulnerable despite emergency patches released last week.
.png
)
The vulnerability exists in the SAP Internet Communication Manager (ICM) component, which handles HTTP requests for SAP applications.
Initial exploitation attempts were observed targeting financial institutions and manufacturing companies with high-value intellectual property.
Once compromised, affected systems have been weaponized to establish persistent access and exfiltrate sensitive business data, with several victims reporting significant financial losses and operational disruptions.
Forescout researchers identified a sophisticated attack chain leveraging the vulnerability to deploy custom malware they’ve named “SAPphire.”
Their analysis revealed that the malware establishes encrypted command-and-control channels through legitimate SAP communication protocols, making detection particularly challenging for traditional security tools.
The attackers demonstrated extensive knowledge of SAP architecture, suggesting a dedicated focus on targeting enterprise resource planning systems.
The attack vector begins with a specially crafted HTTP request to vulnerable SAP NetWeaver instances, exploiting memory corruption in the ICM component.
This initial access is followed by payload delivery that establishes persistence through modified SAP service configurations and scheduled jobs.
The sophistication of the attacks has raised concerns about potential supply chain implications, as compromised systems could be used to target connected business partners.
Organizations running SAP systems are experiencing significant business impact, with several critical environments taken offline for emergency patching.
The vulnerability affects systems across industries, with government agencies, healthcare providers, and critical infrastructure operators among those most at risk due to their reliance on SAP for core business operations.
Infection Mechanism Analysis
The exploitation technique uses HTTP request smuggling to bypass security controls and trigger a memory corruption vulnerability.
When analyzing compromised systems, security teams discovered the following attack payload:-
POST /sap/bc/soap/rfc HTTP/1.1
Host: target-sap-server
Content-Type: text/xml
Content-Length: 1337
Connection: keep-alive
USERS
%s%s%sThis crafted SOAP request exploits improper input validation in the RFC_READ_TABLE function, where the TEXT field contains format string specifiers that trigger memory corruption and subsequent code execution.
Once executed, the payload establishes a reverse shell connection, allowing attackers to download additional malware components.
SAP NetWeaver Attack Chain illustrates how this initial exploit leads to persistent access within compromised environments.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
