A critical vulnerability has been identified in the SAP Print Service, which allows an unauthenticated remote attacker to overwrite critical system files. This flaw, resulting from improper input validation, can be exploited to cause a complete system compromise, leading to severe business disruption, data loss, and unauthorized system access. Immediate patching is required to mitigate the significant risk posed by this vulnerability.

The vulnerability is a path traversal weakness within the SAP Print Service (SAPSprint). The application fails to properly sanitize or validate user-supplied path information, allowing an attacker to use directory traversal sequences (e.g., ../). An unauthenticated attacker with network access to the service can craft a malicious request to navigate outside of the intended directory and overwrite arbitrary system files, potentially including critical operating system binaries or configuration files. Successful exploitation could lead to a denial-of-service condition or arbitrary code execution with the privileges of the SAP service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. The potential business impact is severe, as successful exploitation by an unauthenticated attacker could lead to a complete compromise of the underlying server hosting the SAP Print Service. Consequences include significant operational downtime, theft or corruption of sensitive business data, installation of ransomware, and loss of system integrity. The ability for an attacker to exploit this flaw without any prior authentication dramatically increases the risk to the organization, potentially leading to substantial financial losses and reputational damage.

Immediate Action: The primary and most effective remediation is to apply the security patches provided by the vendor immediately. Organizations must update the SAP Print Service on all affected systems to the latest version that addresses this vulnerability. After patching, it is crucial to monitor systems for any signs of post-exploitation activity and to review historical access logs for indicators of compromise.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts. This includes monitoring file integrity on critical system directories for any unauthorized modifications originating from the SAP Print Service process. Network and application logs should be scrutinized for suspicious requests containing path traversal sequences like ../, ..\, or their encoded variants.

Compensating Controls: If immediate patching is not feasible, the following compensating controls should be implemented to reduce the risk:

• Restrict network access to the SAP Print Service port to only trusted IP addresses and subnets using a host-based or network firewall.
• Implement an Intrusion Prevention System (IPS) with rules designed to detect and block directory traversal attacks.
• Enforce the principle of least privilege by ensuring the service account running SAP Print Service has restrictive file system permissions, preventing it from writing to sensitive system directories outside its intended operational scope.

Public Exploit Available: false

Given the critical severity of this vulnerability and the potential for complete system compromise by an unauthenticated attacker, this issue must be treated as a top priority. We strongly recommend that all affected SAP Print Service instances be patched immediately. Although this CVE is not currently listed on the CISA KEV catalog, its high-impact characteristics make it a prime candidate for future inclusion and widespread exploitation. Organizations should assume it will be targeted and act decisively to apply the vendor-supplied remediation without delay.