cbcvebase.
CVE-2018-2380
published 2018-03-01

CVE-2018-2380: SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters…

PriorityP182medium6.6CVSS 3.1
AVNACLPRHUINSCCLILAL
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
29.23%
97.9th percentile
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

Affected

12 ranges
VendorProductVersion rangeFixed in
sapcustomer_relationship_management
sapcustomer_relationship_management
sapcustomer_relationship_management
sapcustomer_relationship_management
sapcustomer_relationship_management
sapcustomer_relationship_management
sap_sesap_crm
sap_sesap_crm
sap_sesap_crm
sap_sesap_crm
sap_sesap_crm
sap_sesap_crm

Detection & IOCsextracted from sources · hover to see the quote

url/b2b/admin/logging.jsp
url/b2b/admin/index.jsp
url/b2b/init.do
pathC:\usr\sap\{SID}\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\
filenameERPScan_shell_<random>.jsp
port50000
commandRuntime.getRuntime().exec(request.getParameter("cmd"))
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_2380, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)
  • Detect HTTP requests to /b2b/init.do? containing URL-encoded JSP shell code with 'Runtime.getRuntime().exec' — this is the log injection write step that drops the webshell.
  • Monitor POST requests to /b2b/admin/logging.jsp with 'selDest' parameter pointing to a .jsp path under the servlet_jsp/_default/root/ directory — this is the attacker redirecting the log output to a webshell location.
  • Alert on newly created .jsp files matching the pattern ERPScan_shell_<number>.jsp in the SAP servlet root directory, indicating successful webshell deployment.
  • The exploit uses a fixed User-Agent string; correlate this UA with requests to SAP CRM /b2b/ endpoints as a low-confidence pivot indicator.
  • The Emerging Threats Snort rule (SID 2025835) triggers on HTTP URIs containing /init.do? with both 'java.util' and 'Runtime.getRuntime().exec' in the same request — deploy this rule on perimeter sensors facing SAP CRM instances.
  • ·The webshell drop path is hardcoded to drive letter C:\ and SAP instance node J00; environments with different drive letters, instance numbers, or non-Windows deployments will use different paths, requiring path pattern adjustments in detection rules.
  • ·The exploit requires valid SAP CRM administrator credentials; detections based solely on the log-path change POST may miss cases where the attacker already has a valid session obtained through other means.
  • ·The exploit restores the log path to ./default_log_name.log after shell upload, meaning the malicious selDest POST is transient and may only appear briefly in logs — ensure high-fidelity logging of all POST bodies to /b2b/admin/logging.jsp.

CVSS provenance

nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.6MEDIUM
cisa6.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.