CVE-2012-2611

SAP NetWeaver 7.0 EHP1 and EHP2 - Remote Code Execution via DiagTraceR3Info Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-2611. PoCs published by Metasploit, Martin Gallo, juan vazquez, including Metasploit module exploits/windows/misc/sap_netweaver_dispatcher.

AI-analyzed exploit summary This is a Metasploit module exploiting a stack buffer overflow in SAP NetWeaver Dispatcher's DiagTraceR3Info function. It achieves remote code execution via a crafted Diag packet, with ROP chains for DEP bypass on Windows XP SP3 and Windows 2003 SP2.

Description

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/21034

This is a Metasploit module exploiting a stack buffer overflow in SAP NetWeaver Dispatcher's DiagTraceR3Info function. It achieves remote code execution via a crafted Diag packet, with ROP chains for DEP bypass on Windows XP SP3 and Windows 2003 SP2.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: SAP NetWeaver Dispatcher 7.0 EHP2 SP6
No auth needed
Prerequisites: Developer Traces configured at levels 2 or 3 · Access to TCP port 3200
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
doswindows
https://www.exploit-db.com/exploits/18853

The provided code is a functional Python exploit for multiple vulnerabilities in SAP Netweaver Dispatcher, including buffer overflows and DoS conditions. It demonstrates how to craft malicious SAP Diag packets to trigger vulnerabilities in functions like DiagTraceR3Info and DiagTraceHex.

Classification
Working Poc 100%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Reliable
Target: SAP Netweaver 7.0 EHP1, SAP Netweaver 7.0 EHP2
No auth needed
Prerequisites: Network access to SAP Netweaver Dispatcher service (TCP port 32NN) · Developer Trace configured at levels 2 or 3 for Dialog Processing
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
pythondosmultiple
https://www.exploit-db.com/exploits/20705

The provided Python script demonstrates multiple buffer overflow vulnerabilities in SAP Netweaver Dispatcher, allowing remote code execution and denial of service attacks via crafted SAP Diag packets. It includes functional exploit code for several CVEs (CVE-2012-2611, CVE-2012-2612, etc.) targeting specific functions like DiagTraceR3Info and DiagTraceHex.

Classification
Working Poc 100%
Attack Type
Rce | Dos
Complexity
Moderate
Reliability
Reliable
Target: SAP Netweaver 7.0 EHP1/EHP2 (disp+work.exe)
No auth needed
Prerequisites: Network access to SAP Dispatcher TCP ports (32NN) · Developer Trace level 2 or 3 for Dialog Processing (for some CVEs)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Martin Gallo, juan vazquez · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb

This Metasploit module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher service via the DiagTraceR3Info function. It includes ROP chains for DEP bypass and targets Windows XP SP3 and Windows 2003 SP2, delivering a payload for remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: SAP NetWeaver Dispatcher 7.0 EHP2 SP6
No auth needed
Prerequisites: Developer Traces configured at levels 2 or 3 · Network access to SAP Dispatcher service (port 3200)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Various Sources x_refsource_confirm
http://scn.sap.com/docs/DOC-8218
Various Sources x_refsource_misc
https://service.sap.com/sap/support/notes/1687910
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1027052

Scores

EPSS 0.4192
EPSS Percentile 98.5%

Details

CWE
CWE-20
Status published
Products (1)
sap/netweaver 7.0 ehp1 (2 CPE variants)
Published May 15, 2012
Tracked Since Feb 18, 2026