The exploitation technique uses HTTP request smuggling to bypass security controls and trigger a memory corruption vulnerability. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Once compromised, affected systems have been weaponized to establish persistent access and exfiltrate sensitive business data, with several victims reporting significant financial losses and operational disruptions. The vulnerability affects systems across industries, with government agencies, healthcare providers, and critical infrastructure operators among those most at risk due to their reliance on SAP for core business operations. This crafted SOAP request exploits improper input validation in the RFC_READ_TABLE function, where the TEXT field contains format string specifiers that trigger memory corruption and subsequent code execution. A critical vulnerability in SAP NetWeaver Application Server has become the latest target for Chinese state-sponsored threat actors, with researchers confirming active exploitation in the wild. The zero-day vulnerability, tracked as CVE-2023-7629, affects multiple versions of SAP NetWeaver AS ABAP and enables attackers to gain remote code execution without authentication. Their analysis revealed that the malware establishes encrypted command-and-control channels through legitimate SAP communication protocols, making detection particularly challenging for traditional security tools. The attack vector begins with a specially crafted HTTP request to vulnerable SAP NetWeaver instances, exploiting memory corruption in the ICM component. Security experts warn that thousands of internet-facing SAP systems remain vulnerable despite emergency patches released last week. The sophistication of the attacks has raised concerns about potential supply chain implications, as compromised systems could be used to target connected business partners. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Organizations running SAP systems are experiencing significant business impact, with several critical environments taken offline for emergency patching. SAP NetWeaver Attack Chain illustrates how this initial exploit leads to persistent access within compromised environments. The attackers demonstrated extensive knowledge of SAP architecture, suggesting a dedicated focus on targeting enterprise resource planning systems. A wave of cyberattacks targeting major retail chains has intensified concerns about data security and consumer trust. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The vulnerability exists in the SAP Internet Communication Manager (ICM) component, which handles HTTP requests for SAP applications. Initial exploitation attempts were observed targeting financial institutions and manufacturing companies with high-value intellectual property. This initial access is followed by payload delivery that establishes persistence through modified SAP service configurations and scheduled jobs. Once executed, the payload establishes a reverse shell connection, allowing attackers to download additional malware components.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 12 May 2025 12:00:25 +0000