CVE-2023-49580 Overview
CVE-2023-49580 affects SAP GUI for Windows and SAP GUI for Java across SAP_BASIS versions 755, 756, 757, and 758. The vulnerability allows an unauthenticated attacker to access information that should remain restricted and confidential. Attackers can also create Layout configurations of the ABAP List Viewer, causing limited integrity and availability impact. This includes increased response times on the AS ABAP application server. The flaw is associated with [CWE-732] Incorrect Permission Assignment for Critical Resource.
Critical Impact
Unauthenticated network attackers can read confidential SAP data and manipulate ABAP List Viewer layouts, degrading AS ABAP performance.
Affected Products
- SAP GUI for Windows (SAP_BASIS 755, 756, 757, 758)
- SAP GUI for Java (SAP_BASIS 755, 756, 757, 758)
- SAP NetWeaver AS ABAP systems using the affected GUI versions
Discovery Timeline
- 2023-12-12 - CVE-2023-49580 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-49580
Vulnerability Analysis
The vulnerability stems from incorrect permission assignment on resources exposed by SAP GUI for Windows and SAP GUI for Java. Unauthenticated attackers can reach the affected functionality over the network with low attack complexity and no user interaction. The flaw permits two distinct outcomes. First, an attacker can retrieve information that should require authentication and authorization. Second, the attacker can create Layout configurations within the ABAP List Viewer (ALV), the standard SAP component used to display tabular data.
Layout creation by an unauthenticated principal introduces persistent state changes into the AS ABAP backend. These changes can degrade response times for legitimate users querying ALV data. The combined impact spans confidentiality, integrity, and availability at a limited level.
Root Cause
The root cause is a missing or improperly enforced permission check on ALV layout management and information retrieval endpoints exposed through SAP GUI. The affected SAP_BASIS components do not adequately validate the caller's authentication state before granting access to protected resources, mapping to [CWE-732].
Attack Vector
Exploitation occurs over the network without credentials and without user interaction. An attacker with network reachability to the SAP GUI-exposed services can issue requests that bypass expected authorization controls. The attacker can both read sensitive information and write new ALV Layout configurations into the backend. No verified public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified public exploit code is available. Refer to SAP Note #3385711 for vendor technical details.
Detection Methods for CVE-2023-49580
Indicators of Compromise
- Unexpected ALV Layout entries created without an associated authenticated user session
- Anomalous unauthenticated network connections to SAP GUI services from external or untrusted segments
- Sustained increases in AS ABAP response times correlated with ALV layout enumeration activity
Detection Strategies
- Audit ALV layout creation events in SAP security audit logs and alert on entries lacking a valid user context
- Monitor SAP GUI network listeners for requests originating from sources outside approved administrative ranges
- Correlate AS ABAP performance metrics with unusual ALV configuration changes to surface low-and-slow abuse
Monitoring Recommendations
- Enable SAP Security Audit Log (SM19/RSAU_CONFIG) with full coverage of RFC and dialog events on affected systems
- Forward SAP audit and performance telemetry to a centralized analytics platform for cross-source correlation
- Track SAP_BASIS patch level inventory to confirm remediation status across the landscape
How to Mitigate CVE-2023-49580
Immediate Actions Required
- Apply the SAP-provided patch referenced in SAP Note #3385711 to all SAP GUI for Windows and SAP GUI for Java installations on SAP_BASIS 755, 756, 757, and 758
- Restrict network access to SAP GUI services so only authorized client subnets can reach the application servers
- Review ALV Layout tables for unauthorized entries and remove configurations not tied to legitimate users
Patch Information
SAP released remediation guidance in SAP Note #3385711. Apply the corresponding SAP_BASIS support package or correction instruction for versions 755, 756, 757, and 758. Additional vendor security guidance is available in the SAP Security Reference Document.
Workarounds
- Limit exposure of SAP GUI services to trusted internal networks using firewall ACLs and VPN-only access
- Enforce strict authorization profiles on ALV layout administration transactions until patches are deployed
- Increase audit logging on affected systems to detect exploitation attempts during the remediation window
# Configuration example: restrict SAP GUI access at the network layer
# Allow only trusted SAP admin subnet to reach AS ABAP dispatcher port 32NN
iptables -A INPUT -p tcp -s 10.10.20.0/24 --dport 3200 -j ACCEPT
iptables -A INPUT -p tcp --dport 3200 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
