Cyber Resilience

CVE-2018-2380

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 01 March 2018

Published
01 March 2018
Modified
31 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.4879 97.8th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-2380 is a medium-severity Path Traversal (CWE-22) vulnerability in Sap Customer Relationship Management. Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54 contain a path traversal vulnerability resulting from insufficient validation of user-supplied path information. Directory traversal sequences are passed directly to underlying file APIs, enabling access outside intended directories. The issue is tracked as CWE-22 with a CVSS 3.1 base score of 6.6.

An attacker with high privileges can send crafted requests over the network to read, modify, or affect files accessible to the application. The vulnerability has changed scope, allowing limited impact to confidentiality, integrity, and availability of resources beyond the vulnerable component itself.

SAP security notes and the February 2018 patch day announcement direct customers to apply corrections referenced in SAP Note 2547431. Public proof-of-concept code has been published on Exploit-DB and GitHub demonstrating the traversal technique against the affected CRM components.

EU & UK References

Vulnerability details

SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
customer relationship management
7.01, 7.02, 7.30, 7.31, 7.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied path data to reject traversal sequences before they reach file APIs.

prevent

Enforces access-control decisions on file resources so that traversal attempts outside authorized directories are blocked.

prevent

Limits the high privileges required by the CVE, reducing the set of files an authenticated attacker can reach via traversal.

References