CVE-2018-2380
published 2018-03-01CVE-2018-2380: SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters…
PriorityP182medium6.6CVSS 3.1
AVNACLPRHUINSCCLILAL
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
29.23%
97.9th percentile
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | customer_relationship_management | — | — |
| sap | customer_relationship_management | — | — |
| sap | customer_relationship_management | — | — |
| sap | customer_relationship_management | — | — |
| sap | customer_relationship_management | — | — |
| sap | customer_relationship_management | — | — |
| sap_se | sap_crm | — | — |
| sap_se | sap_crm | — | — |
| sap_se | sap_crm | — | — |
| sap_se | sap_crm | — | — |
| sap_se | sap_crm | — | — |
| sap_se | sap_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
pathC:\usr\sap\{SID}\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\↗
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_2380, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)
- →Detect HTTP requests to /b2b/init.do? containing URL-encoded JSP shell code with 'Runtime.getRuntime().exec' — this is the log injection write step that drops the webshell. ↗
- →Monitor POST requests to /b2b/admin/logging.jsp with 'selDest' parameter pointing to a .jsp path under the servlet_jsp/_default/root/ directory — this is the attacker redirecting the log output to a webshell location. ↗
- →Alert on newly created .jsp files matching the pattern ERPScan_shell_<number>.jsp in the SAP servlet root directory, indicating successful webshell deployment. ↗
- →The exploit uses a fixed User-Agent string; correlate this UA with requests to SAP CRM /b2b/ endpoints as a low-confidence pivot indicator. ↗
- →The Emerging Threats Snort rule (SID 2025835) triggers on HTTP URIs containing /init.do? with both 'java.util' and 'Runtime.getRuntime().exec' in the same request — deploy this rule on perimeter sensors facing SAP CRM instances. ↗
- ·The webshell drop path is hardcoded to drive letter C:\ and SAP instance node J00; environments with different drive letters, instance numbers, or non-Windows deployments will use different paths, requiring path pattern adjustments in detection rules. ↗
- ·The exploit requires valid SAP CRM administrator credentials; detections based solely on the log-path change POST may miss cases where the attacker already has a valid session obtained through other means. ↗
- ·The exploit restores the log path to ./default_log_name.log after shell upload, meaning the malicious selDest POST is transient and may only appear briefly in logs — ensure high-fidelity logging of all POST bodies to /b2b/admin/logging.jsp. ↗
CVSS provenance
nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.6MEDIUM
cisa6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
cisa·2021-11-03·CVSS 6.6
CVE-2018-2380 [MEDIUM] CWE-22 SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
Vulnerability: SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
Affected: SAP Customer Relationship Management (CRM)
SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-2380
Remediation Due Date: 2022-05-03
GHSA
GHSA-22j7-69m5-2pqh: SAP CRM, 7
ghsa_unreviewed·2022-05-14
CVE-2018-2380 [MEDIUM] CWE-22 GHSA-22j7-69m5-2pqh: SAP CRM, 7
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
VulnCheck
SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
vulncheck·2018·CVSS 6.6
CVE-2018-2380 [MEDIUM] CWE-22 SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
SAP Customer Relationship Management (CRM) Path Traversal Vulnerability
SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.
Affected: SAP Customer Relationship Management (CRM)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://digital.nhs.uk/cyber-alerts/2021/cc-3815; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.csoonline.com/article/3674119/most-common-sap-vulnerabilities-attackers-try-to-exploit.html; https://go.onapsis.com/threat-report/ch4tter
Exploit PoC: https://vulncheck.com/xdb/a7644be4c7b5; https://vulncheck.com/xdb/fdfc15
Suricata
ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution
suricata·2018-07-12
CVE-2018-2380 ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution
ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_2380, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)
http://www.securityfocus.com/bid/103001https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/https://github.com/erpscanteam/CVE-2018-2380https://launchpad.support.sap.com/#/notes/2547431https://www.exploit-db.com/exploits/44292/http://www.securityfocus.com/bid/103001https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/https://github.com/erpscanteam/CVE-2018-2380https://launchpad.support.sap.com/#/notes/2547431https://www.exploit-db.com/exploits/44292/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380
2018-03-01
Published
2021-11-03
Added to CISA KEV
Exploited in the wild