Karl.Fail

Tag: cwe-94

  • CVE-2025-24977: Critical Code Injection Vulnerability in OpenCTI

    Overview

    A critical vulnerability has been disclosed in OpenCTI, tracked as CVE-2025-24977. This flaw allows authenticated users with specific permissions to execute arbitrary code on the underlying infrastructure and access sensitive server-side secrets. The issue affects all versions prior to 6.4.11 and has been assigned a CVSS v3.1 score of 9.1, marking it as critical in severity.

    What is OpenCTI?

    OpenCTI (Open Cyber Threat Intelligence) is a widely adopted open-source platform for managing and sharing cyber threat intelligence. It allows organizations to structure, store, and visualize complex threat information. Because of its deep integration into security ecosystems, vulnerabilities in OpenCTI can have far-reaching consequences.

    Technical Details

    The vulnerability stems from the improper control of code generation within the application (classified as CWE-94: Code Injection). Specifically, a user with the manage customizations capability can:

    • Execute commands on the host infrastructure using the web hook functionality.
    • Gain a root shell inside a container hosting OpenCTI.
    • Access internal secrets and sensitive environment details.

    This behavior is particularly dangerous because it breaks container isolation and could lead to lateral movement across other infrastructure components.

    CVSS Breakdown

    • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    Affected Versions

    All OpenCTI versions prior to 6.4.11 are affected by this vulnerability.

    Mitigation

    The vulnerability has been patched in OpenCTI version 6.4.11. All users are strongly advised to:

    • Upgrade to version 6.4.11 or later immediately.
    • Audit user roles and permissions, especially the manage customizations capability.
    • Monitor systems for unauthorized command execution or suspicious container activity.

    Conclusion

    CVE-2025-24977 exemplifies the risk of insufficient controls around customization and hook-based functionality in security platforms. Organizations using OpenCTI should treat this vulnerability with urgency due to the high potential impact on infrastructure integrity and data confidentiality.

    For more technical details and updates, refer to the official GitHub advisory.

  • Code Injection Vulnerability in SAP Landscape Transformation (SLT)

    Overview

    CVE-2025-31330 is a critical vulnerability in SAP Landscape Transformation (SLT), specifically affecting the Analysis Platform component. The flaw enables authenticated users to inject arbitrary ABAP code into the system through a remotely exposed RFC function module. The vulnerability bypasses key authorization checks, effectively acting as a backdoor and posing significant risk to system confidentiality, integrity, and availability.

    Technical Details

    The vulnerability is categorized under CWE-94: Improper Control of Generation of Code (‘Code Injection’). It exists due to the improper validation of input passed to a function module accessible over RFC. Users with limited privileges can exploit this flaw to execute arbitrary code, thereby escalating privileges and compromising the SAP environment.

    The vulnerability is remotely exploitable without user interaction and impacts systems configured with affected SLT versions. The attack can result in:

    • Unauthorized execution of ABAP code
    • Bypassing of critical authorization mechanisms
    • Complete takeover of the affected SAP system

    CVSS Score and Vector

    Base Score: 9.9 (Critical)
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    This vector indicates a network-based attack with low complexity, requiring only low privileges, and affecting multiple security domains (scope changed).

    Affected Products

    • SAP Landscape Transformation (Analysis Platform)
      Versions: DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731

    Mitigation and Recommendations

    SAP has addressed this vulnerability in its April 2025 Security Patch Day. Organizations using the affected SLT versions should:

    • Apply SAP Note 3587115 immediately
    • Restrict RFC access to trusted users and IP ranges
    • Audit RFC-enabled function modules and related authorizations
    • Monitor systems for unusual ABAP code executions or privilege escalations

    Conclusion

    CVE-2025-31330 is a critical reminder of the risks posed by improperly secured remote function modules in enterprise software. Given the potential for full system compromise, prompt remediation is essential.

  • CVE-2025-27429: Critical ABAP Code Injection in SAP S/4HANA via RFC

    Overview

    On April 8, 2025, SAP disclosed CVE-2025-27429, a critical vulnerability in SAP S/4HANA (Private Cloud and On-Premise editions), affecting versions S4CORE 102 through 108. This flaw enables a low-privileged attacker to inject arbitrary ABAP code via a vulnerable function module exposed through RFC (Remote Function Call). The vulnerability is classified under CWE-94: Improper Control of Generation of Code.

    Vulnerability Details

    The flaw exists in a specific RFC-enabled function module, which lacks adequate input validation and authorization checks. An attacker with valid but limited SAP user privileges can craft malicious RFC requests that inject ABAP code into the system. The injected code is then executed in the context of the system, effectively acting as a backdoor.

    This enables:

    • Full system compromise
    • Bypass of SAP authorization mechanisms
    • Arbitrary manipulation of data and processes

    Technical Breakdown

    This vulnerability has a CVSS v3.1 base score of 9.9, marking it as Critical. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Key attributes include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability Impact: High

    The changed scope indicates that exploitation affects resources beyond the vulnerable function, potentially escalating the impact to broader system components.

    Understanding CWE-94

    CWE-94 refers to vulnerabilities where user-controllable inputs are used directly in dynamic code execution. In SAP systems, such vulnerabilities are particularly dangerous due to the system’s role in core business processes, and ABAP being the foundational language for many SAP applications.

    Impacted Systems

    • S/4HANA S4CORE versions 102 through 108

    Both Private Cloud and On-Premise installations are affected if they expose the vulnerable RFC module.

    Mitigation and Recommendations

    SAP recommends the following:

    • Apply the latest security patches available in SAP Note 3581961
    • Restrict RFC access to trusted sources only
    • Use SAP Code Vulnerability Analyzer to detect risky custom code
    • Enable system-wide logging and monitoring for unusual ABAP activity

    Conclusion

    CVE-2025-27429 represents a severe risk for enterprises relying on SAP S/4HANA. Given the low barrier to exploitation and the critical nature of SAP environments, immediate patching and system hardening are essential to prevent unauthorized code execution and system compromise.