Insufficient Authorization Checks on RFC Enabled Function Module F4_DXFILENAME_TOPRECURSION

Impact on Business

A remote attacker can read all filenames of arbitrary directories from the file system of the application server. This has a low impact on the confidentiality of the system and its business applications.

Vulnerability Details

Remote-enabled function module F4_DXFILENAME_TOPRECURSION allows non-administrative authenticated users to read filenames from arbitrary locations on the file system of the application server. The vulnerable function module is part of the SAP_BASIS software component.

Solution

SAP has released SAP Note 3454858 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3454858

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

03/28/2024: Onapsis reports vulnerability to SAP
07/09/2024: SAP issues the patch

References

Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-july-2024/
CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37180
Vendor Patch: https://me.sap.com/notes/3454858

Back to Advisories

Advisory Information

Public Release Date: 09/10/2025
Security Advisory ID: ONAPSIS-2024-0058
Researcher(s): Cristian Scraba

Vulnerability Information

Vendor: SAP
Affected Components:
- SAP NetWeaver and ABAP Platform
- SAP Basis (SAP_BASIS) component
  (Check SAP Note 3454858 for detailed information on affected releases)
Vulnerability Class: CWE-862: Missing Authorization
CVSS v3 score: 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)
Risk Level: Medium
Assigned CVE: CVE-2024-37180
Vendor patch Information: SAP Security NOTE 3454858

Affected Components Description

SAP_BASIS 700 SP 15-41
SAP_BASIS 701 SP 01-26
SAP_BASIS 702 SP 01-26
SAP_BASIS 731 SP 01-34
SAP_BASIS 740 SP 01-31
SAP_BASIS 750 SP 01-30
SAP_BASIS 751 SP 01-18
SAP_BASIS 752 SP 01-14
SAP_BASIS 753 SP 01-12
SAP_BASIS 754 SP 01-10
SAP_BASIS 755 SP 01-08
SAP_BASIS 756 SP 01-06
SAP_BASIS 757 SP 01-04
SAP_BASIS 758 SP 01

About our Research Labs

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey