SAP NetWeaver Visual Composer Metadata Uploader Deserialization Vulnerability Allowing Remote Code Execution

A deserialization vulnerability has been identified in the SAP NetWeaver Visual Composer Metadata Uploader component, affecting versions 7.1x and above. The issue arises from improper authorization checks, allowing privileged users to upload untrusted or malicious content. This uploaded content, when deserialized, could lead to a full compromise of the host system. The vulnerability is particularly critical as it allows for remote code execution, with observed exploitation involving the deployment of webshells on compromised systems.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with webshells being uploaded and executed in the context of the operating system user managing the SAP instance. This access enables attackers to interact with SAP resources freely, potentially leading to significant disruptions, such as shutting down SAP applications or deploying ransomware.

Remediation

SAP has released a security patch for this vulnerability as part of Security Note 3604119, available through the SAP for Me platform. This patch addresses the deserialization vulnerability by changing how certain files are processed in SAP Visual Composer, effectively removing the risk. SAP Security Note 3594142 should also be applied, as it provides additional patching support for related vulnerabilities.