CVE-2018-2380
MEDIUM KEV RANSOMWARESAP CRM 7.01-7.02, 7.30-7.31, 7.33, 7.54 - Path Traversal
Title source: llmExploitation Summary
CVE-2018-2380 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including erp scan team, erpscanteam, The-Real-TechLord.
AI-analyzed exploit summary This exploit leverages a log injection vulnerability in SAP CRM to achieve remote command execution by manipulating log file paths and injecting a JSP shell. It requires valid credentials and interacts with the SAP CRM admin interface to deploy the payload.
Description
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Exploits (3)
This exploit leverages a log injection vulnerability in SAP CRM to achieve remote command execution by manipulating log file paths and injecting a JSP shell. It requires valid credentials and interacts with the SAP CRM admin interface to deploy the payload.
This PoC exploits CVE-2018-2380, a log injection vulnerability in SAP NetWeaver AS JAVA CRM, to achieve remote command execution by injecting a JSP shell into the log file path and then accessing it to execute arbitrary commands.
This repository contains a functional Python exploit for CVE-2018-2380, which achieves remote command execution (RCE) on SAP NetWeaver AS JAVA CRM via log injection. The exploit authenticates to the SAP portal, manipulates log file paths to upload a malicious JSP shell, and restores the original log path.
References (6)
Scores
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L