CVE-2024-54197: SAP NetWeaver Administrator SSRF Flaw

CVE-2024-54197 Overview

CVE-2024-54197 is a Server-Side Request Forgery (SSRF) vulnerability in the SAP NetWeaver Administrator System Overview component. An authenticated attacker can craft malicious HTTP requests to enumerate accessible HTTP endpoints within the internal network. Successful exploitation results in limited disclosure of internal service information and minor integrity impact.

The flaw is classified under [CWE-918] (Server-Side Request Forgery). SAP disclosed the issue on December 10, 2024 as part of its monthly Security Patch Day. The vulnerability does not affect application availability but enables reconnaissance of internal infrastructure normally unreachable from external networks.

Critical Impact

Authenticated attackers can leverage the SAP NetWeaver Administrator to probe internal HTTP endpoints, exposing internal service topology and enabling further lateral attacks.

Affected Products

• SAP NetWeaver Administrator (System Overview component)
• SAP NetWeaver Application Server Java
• Refer to SAP Note #3542543 for the complete list of affected versions

Discovery Timeline

• 2024-12-10 - CVE-2024-54197 published to NVD as part of SAP Security Patch Day
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-54197

Vulnerability Analysis

The vulnerability resides in the System Overview functionality of SAP NetWeaver Administrator. The component accepts user-controlled input that influences server-side HTTP request destinations without sufficient validation. An authenticated attacker submits specially crafted requests that cause the server to issue outbound HTTP calls to attacker-specified targets.

This SSRF condition allows enumeration of HTTP services accessible to the SAP host. Internal management interfaces, metadata services, and unauthenticated APIs become reachable through the proxy effect. The impact on confidentiality and integrity is rated low, while availability remains unaffected.

The issue is tracked under [CWE-918] for Server-Side Request Forgery. Current EPSS data indicates a low probability of near-term exploitation, and no public exploit code or CISA KEV listing exists at the time of writing.

Root Cause

The System Overview module fails to enforce an allow-list of valid request destinations. URL or hostname parameters supplied by an authenticated user are passed directly to the HTTP client used by the administrator interface. The server then performs the request from its own network position, bypassing perimeter controls that would normally block such traffic.

Attack Vector

Exploitation requires network access to the SAP NetWeaver Administrator interface and valid authenticated credentials. The attacker submits a crafted HTTP request to the System Overview endpoint containing a target URL pointing to an internal resource. The SAP server retrieves the resource and returns response indicators that reveal endpoint accessibility, allowing systematic mapping of internal HTTP services.

The vulnerability is described in prose only because no verified proof-of-concept code is published. Technical specifics are restricted to the vendor advisory referenced in SAP Note #3542543.

Detection Methods for CVE-2024-54197

Indicators of Compromise

• Unexpected outbound HTTP requests originating from SAP NetWeaver Administrator hosts to internal IP ranges or non-standard ports
• Sequential or scanning-pattern requests in NetWeaver Administrator System Overview logs from a single authenticated session
• Authenticated sessions accessing System Overview functions outside normal administrative working hours

Detection Strategies

• Inspect SAP application logs for System Overview requests containing externally supplied URL parameters or hostnames not matching the documented allow-list
• Correlate authentication events with subsequent outbound HTTP connections from the NetWeaver host to detect SSRF probing behavior
• Deploy network monitoring rules that alert on SAP servers initiating connections to internal management interfaces, cloud metadata endpoints, or loopback addresses

Monitoring Recommendations

• Forward SAP NetWeaver Administrator audit logs to a centralized SIEM for retention and correlation with network flow data
• Establish baselines for normal System Overview usage patterns to surface anomalous request volumes or destination diversity
• Monitor privileged SAP account activity for unusual administrative actions following System Overview access

How to Mitigate CVE-2024-54197

Immediate Actions Required

• Apply the SAP-provided patch documented in SAP Note #3542543 to all affected NetWeaver Administrator instances
• Review and tighten access controls so that only required administrators retain authorization to the System Overview functionality
• Audit recent System Overview activity for evidence of internal network enumeration attempts

Patch Information

SAP released a fix as part of the December 2024 Security Patch Day. Patch details and download instructions are available in SAP Note #3542543 and the SAP Security Patch Announcement. Administrators should validate patch deployment across all production, test, and disaster recovery SAP landscapes.

Workarounds

• Restrict network egress from SAP NetWeaver hosts using host-based or perimeter firewalls to block connections to sensitive internal subnets and cloud metadata endpoints
• Limit access to the NetWeaver Administrator interface to a dedicated management network or VPN
• Reduce the population of accounts with administrator privileges on the NetWeaver Java stack until the patch is applied

# Example egress restriction for an SAP NetWeaver host (iptables)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 443 -j DROP