CVE-2007-4475

SAP AG SAPgui <7.10 PL9 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2007-4475. PoCs published by Metasploit, Digital Security Research Group, MC, including Metasploit module exploits/windows/browser/sapgui_saveviewtosessionfile.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in the SAPgui EAI WebViewer3D ActiveX control via the SaveViewToSessionFile() method. It delivers a payload through a malicious HTML page, achieving remote code execution.

Description

Stack-based buffer overflow in EAI WebViewer3D ActiveX control (webviewer3d.dll) in SAP AG SAPgui before 7.10 Patch Level 9 allows remote attackers to execute arbitrary code via a long argument to the SaveViewToSessionFile method.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16575

This is a Metasploit module exploiting a stack buffer overflow in the SAPgui EAI WebViewer3D ActiveX control via the SaveViewToSessionFile() method. It delivers a payload through a malicious HTML page, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAPgui with EAI WebViewer3D ActiveX control (clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E)
No auth needed
Prerequisites: Target must have SAPgui with vulnerable ActiveX control installed · Target must visit a malicious web page or be redirected to it
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Digital Security Research Group · htmlremotewindows
https://www.exploit-db.com/exploits/32879

The provided code is a writeup describing multiple XSS vulnerabilities in SAP MaxDB. It includes example URLs demonstrating how unsanitized user input in the 'Database', 'User', and 'Password' parameters can lead to arbitrary script execution in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SAP MaxDB
No auth needed
Prerequisites: Access to the vulnerable SAP MaxDB web interface
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb

This Metasploit module exploits a stack buffer overflow in the SAPgui EAI WebViewer3D ActiveX control via the SaveViewToSessionFile() method. It delivers a malicious HTML page with obfuscated JavaScript to trigger the vulnerability and execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAPgui with EAI WebViewer3D ActiveX control (clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E)
No auth needed
Prerequisites: Victim must visit a malicious web page or open a malicious HTML file · ActiveX control must be installed and enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34310
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0892
Patch, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/985449
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/49543
Patch, Vendor Advisory x_refsource_misc
https://service.sap.com/sap/support/notes/1153794
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/34559

Scores

EPSS 0.4031
EPSS Percentile 98.5%

Details

CWE
CWE-119
Status published
Products (7)
sap/sapgui
sap/sapgui 4.6 (2 CPE variants)
sap/sapgui 4.6a (2 CPE variants)
sap/sapgui 4.6b (2 CPE variants)
sap/sapgui 4.6c (2 CPE variants)
sap/sapgui 4.6d (2 CPE variants)
sap/sapgui 6.40
Published Apr 01, 2009
Tracked Since Feb 18, 2026