A critical security flaw in SAP NetWeaver Application Server, identified as CVE-2023-7629, has been actively exploited by Chinese state-sponsored threat actors. This zero-day vulnerability affects multiple versions of SAP NetWeaver AS ABAP, allowing unauthenticated attackers to execute remote code.
Despite SAP’s release of emergency patches, numerous internet-facing SAP systems remain unpatched and vulnerable. The flaw resides in the Internet Communication Manager (ICM) component, responsible for handling HTTP requests within SAP applications.
Initial attacks targeted financial institutions and manufacturing companies possessing valuable intellectual property. Compromised systems have been used to establish persistent access and exfiltrate sensitive business data, leading to significant financial losses and operational disruptions.
Security researchers from Forescout have identified a sophisticated attack chain leveraging this vulnerability to deploy custom malware named SAPphire. This malware establishes encrypted command-and-control channels through legitimate SAP communication protocols, making detection challenging for traditional security tools.
The attackers’ deep understanding of SAP architecture suggests a dedicated focus on targeting enterprise resource planning systems. The attack begins with a specially crafted HTTP request to vulnerable SAP NetWeaver instances, exploiting memory corruption in the ICM component. This initial access is followed by payload delivery that establishes persistence through modified SAP service configurations and scheduled jobs.
The exploitation technique involves HTTP request smuggling to bypass security controls and trigger a memory corruption vulnerability. Analysis of compromised systems revealed crafted SOAP requests exploiting improper input validation in the RFC_READ_TABLE function, leading to memory corruption and subsequent code execution. Once executed, the payload establishes a reverse shell connection, allowing attackers to download additional malware components.
Organizations running SAP systems are experiencing significant business impact, with several critical environments taken offline for emergency patching. The vulnerability affects systems across various industries, including government agencies, healthcare providers, and critical infrastructure operators, all of whom rely on SAP for core business operations.
