CVE-2024-54197 Overview
CVE-2024-54197 is a Server-Side Request Forgery (SSRF) vulnerability in the SAP NetWeaver Administrator System Overview component. An authenticated attacker can craft malicious HTTP requests to enumerate accessible HTTP endpoints within the internal network. Successful exploitation results in limited disclosure of internal service information and minor integrity impact.
The flaw is classified under [CWE-918] (Server-Side Request Forgery). SAP disclosed the issue on December 10, 2024 as part of its monthly Security Patch Day. The vulnerability does not affect application availability but enables reconnaissance of internal infrastructure normally unreachable from external networks.
Critical Impact
Authenticated attackers can leverage the SAP NetWeaver Administrator to probe internal HTTP endpoints, exposing internal service topology and enabling further lateral attacks.
Affected Products
- SAP NetWeaver Administrator (System Overview component)
- SAP NetWeaver Application Server Java
- Refer to SAP Note #3542543 for the complete list of affected versions
Discovery Timeline
- 2024-12-10 - CVE-2024-54197 published to NVD as part of SAP Security Patch Day
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-54197
Vulnerability Analysis
The vulnerability resides in the System Overview functionality of SAP NetWeaver Administrator. The component accepts user-controlled input that influences server-side HTTP request destinations without sufficient validation. An authenticated attacker submits specially crafted requests that cause the server to issue outbound HTTP calls to attacker-specified targets.
This SSRF condition allows enumeration of HTTP services accessible to the SAP host. Internal management interfaces, metadata services, and unauthenticated APIs become reachable through the proxy effect. The impact on confidentiality and integrity is rated low, while availability remains unaffected.
The issue is tracked under [CWE-918] for Server-Side Request Forgery. Current EPSS data indicates a low probability of near-term exploitation, and no public exploit code or CISA KEV listing exists at the time of writing.
Root Cause
The System Overview module fails to enforce an allow-list of valid request destinations. URL or hostname parameters supplied by an authenticated user are passed directly to the HTTP client used by the administrator interface. The server then performs the request from its own network position, bypassing perimeter controls that would normally block such traffic.
Attack Vector
Exploitation requires network access to the SAP NetWeaver Administrator interface and valid authenticated credentials. The attacker submits a crafted HTTP request to the System Overview endpoint containing a target URL pointing to an internal resource. The SAP server retrieves the resource and returns response indicators that reveal endpoint accessibility, allowing systematic mapping of internal HTTP services.
The vulnerability is described in prose only because no verified proof-of-concept code is published. Technical specifics are restricted to the vendor advisory referenced in SAP Note #3542543.
Detection Methods for CVE-2024-54197
Indicators of Compromise
- Unexpected outbound HTTP requests originating from SAP NetWeaver Administrator hosts to internal IP ranges or non-standard ports
- Sequential or scanning-pattern requests in NetWeaver Administrator System Overview logs from a single authenticated session
- Authenticated sessions accessing System Overview functions outside normal administrative working hours
Detection Strategies
- Inspect SAP application logs for System Overview requests containing externally supplied URL parameters or hostnames not matching the documented allow-list
- Correlate authentication events with subsequent outbound HTTP connections from the NetWeaver host to detect SSRF probing behavior
- Deploy network monitoring rules that alert on SAP servers initiating connections to internal management interfaces, cloud metadata endpoints, or loopback addresses
Monitoring Recommendations
- Forward SAP NetWeaver Administrator audit logs to a centralized SIEM for retention and correlation with network flow data
- Establish baselines for normal System Overview usage patterns to surface anomalous request volumes or destination diversity
- Monitor privileged SAP account activity for unusual administrative actions following System Overview access
How to Mitigate CVE-2024-54197
Immediate Actions Required
- Apply the SAP-provided patch documented in SAP Note #3542543 to all affected NetWeaver Administrator instances
- Review and tighten access controls so that only required administrators retain authorization to the System Overview functionality
- Audit recent System Overview activity for evidence of internal network enumeration attempts
Patch Information
SAP released a fix as part of the December 2024 Security Patch Day. Patch details and download instructions are available in SAP Note #3542543 and the SAP Security Patch Announcement. Administrators should validate patch deployment across all production, test, and disaster recovery SAP landscapes.
Workarounds
- Restrict network egress from SAP NetWeaver hosts using host-based or perimeter firewalls to block connections to sensitive internal subnets and cloud metadata endpoints
- Limit access to the NetWeaver Administrator interface to a dedicated management network or VPN
- Reduce the population of accounts with administrator privileges on the NetWeaver Java stack until the patch is applied
# Example egress restriction for an SAP NetWeaver host (iptables)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
