CVE-2024-21737: SAP Application Interface Framework RCE

CVE-2024-21737 Overview

CVE-2024-21737 is a code injection vulnerability [CWE-94] in the SAP Application Interface Framework (AIF) File Adapter version 702. A high-privilege authenticated user can invoke a function module that traverses application layers and executes operating system commands directly on the underlying host. Successful exploitation compromises the confidentiality, integrity, and availability of the SAP environment.

The flaw carries a CVSS 3.1 score of 9.1 and is exploitable over the network with low attack complexity. SAP addressed the issue in its January 2024 Security Patch Day release via SAP Note 3411869.

Critical Impact

An authenticated high-privilege user can break out of the AIF File Adapter context and run arbitrary OS commands on the SAP application server, leading to full host compromise.

Affected Products

• SAP Application Interface Framework File Adapter — version 702
• Deployments using the AIF File Adapter function modules for file-based integration
• SAP NetWeaver application servers hosting the affected AIF component

Discovery Timeline

• 2024-01-09 - CVE-2024-21737 published to the National Vulnerability Database (NVD)
• 2024-01-09 - SAP releases security patch via SAP Note 3411869
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21737

Vulnerability Analysis

The SAP Application Interface Framework provides a runtime for integrating SAP and non-SAP systems through configurable adapters. The File Adapter handles inbound and outbound file processing on the SAP application server filesystem. Within version 702, a function module exposed by the File Adapter accepts input that flows into operating system command execution paths without adequate validation.

A user with sufficient SAP authorizations can pass crafted parameters through the function module. The input traverses multiple framework layers before reaching a code path that invokes OS-level commands on the host running the SAP NetWeaver ABAP stack. The result is direct command execution under the privileges of the SAP system user, typically <sid>adm.

The issue is classified as Improper Control of Generation of Code [CWE-94]. Because the attack vector is Network and the scope is Changed, exploitation from a remote authenticated session can affect resources beyond the vulnerable component itself.

Root Cause

The File Adapter function module fails to sanitize or restrict parameters that ultimately reach OS command interfaces. Trust boundaries between the ABAP-layer adapter logic and the underlying host commands are not enforced, allowing user-supplied data to influence command construction.

Attack Vector

An authenticated attacker holding high-privilege AIF roles establishes a session with the SAP application server. The attacker calls the vulnerable function module — for example, via Remote Function Call (RFC) or through an SAP GUI transaction that wraps the module — and supplies parameters that are passed to the OS command interface. The command runs in the security context of the SAP system user, granting access to the SAP profile, transport directory, and database connection files.

See the SAP Security Patch Day advisory and SAP Note 3411869 for vendor technical details.

Detection Methods for CVE-2024-21737

Indicators of Compromise

• Unexpected child processes spawned by SAP work processes (disp+work, dw.sap*) such as shells, scripting interpreters, or system utilities
• Outbound network connections initiated from the SAP application server host shortly after AIF File Adapter activity
• AIF runtime logs showing function module calls with anomalous file paths or shell metacharacters in parameter values
• New or modified files in the SAP transport directory or /usr/sap/<SID>/ written by the <sid>adm user outside scheduled jobs

Detection Strategies

• Audit calls to AIF File Adapter function modules through SAP Security Audit Log (transaction SM19/RSAU_CONFIG) and alert on invocations by users outside the approved interface operators group
• Correlate ABAP RFC call telemetry with host-level process creation events on the SAP application server
• Hunt for execution chains where SAP work processes spawn sh, bash, cmd.exe, or powershell.exe — a pattern that should not occur in normal AIF operation

Monitoring Recommendations

• Forward SAP Security Audit Log, gateway log, and OS process telemetry into a centralized analytics platform for correlation
• Establish a baseline of legitimate AIF File Adapter usage and alert on deviations in calling users, parameter shapes, and target file paths
• Monitor the SAP gateway (gw/sec_info, gw/reg_info) for unauthorized registration of external programs that could chain with this vulnerability

How to Mitigate CVE-2024-21737

Immediate Actions Required

• Apply SAP Note 3411869 to all SAP systems running the Application Interface Framework File Adapter version 702
• Review and reduce membership of roles granting access to AIF administration and File Adapter function modules
• Audit recent calls to the vulnerable function module and investigate any invocations by accounts that should not be using the File Adapter
• Rotate credentials for <sid>adm, database users, and any service accounts reachable from the SAP application server if exploitation is suspected

Patch Information

SAP released the fix as part of the January 2024 SAP Security Patch Day. Administrators should implement SAP Note 3411869 following standard SAP change management procedures, including transport import to development, quality, and production systems. Refer to the SAP Security Patch Day overview for the broader advisory bundle.

Workarounds

• Restrict authorization objects controlling AIF administration so only a minimal set of operators can invoke File Adapter function modules
• Disable or unregister the affected File Adapter function module in environments where it is not required until the patch is applied
• Enforce SAP gateway access control lists (gw/sec_info, gw/reg_info) to limit which external programs and hosts can interact with the application server
• Apply host-based command execution restrictions on the SAP application server to constrain what processes the <sid>adm user can launch

# Example: enable SAP Security Audit Log filters for AIF function module calls
# Run as <sid>adm via transaction RSAU_CONFIG or update the profile parameters
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
# Then define a filter capturing RFC/function module calls
# Event class: AUM (RFC function call) for high-privilege users invoking AIF modules