Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure

Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver Development Infrastructure Component Build Service versions – 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
Vendor URL:
Date of Public Advisory: June 1, 2023
Reference: []
SAP Note: 3072955 
SAP Approved Fixes: True
Status: analyzed and published


Title: [CVE-2021-33690] Server-Side Request Forgery Vulnerability in SAP NetWeaver Development Infrastructure
Risk: Critical
Advisory URL:
Date published: June 1, 2023


Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3.1 Base Score: 9.9 / 10 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


A vulnerability known as Server-Side Request Forgery (SSRF) has been identified in various versions of the SAP NetWeaver Development Infrastructure Component Build Service, namely 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50. This weakness within the SAP NetWeaver Development Infrastructure Component Build Service gives an attacker, who has server access, the ability to execute proxy attacks via specially tailored queries. The aftermath of such attacks can lead to the complete compromise of sensitive server data, affecting its accessibility. It’s crucial to note that the severity of this vulnerability is contingent on whether the SAP NetWeaver Development Infrastructure (NWDI) operates on the intranet or the internet. The CVSS score has been calculated based on the worst-case situation, which presumes it operates online.


To determine if the server is vulnerable to SSRF, send the following request:

POST /tc.CBS.Appl/tcspseudo HTTP/1.1
Host: redrayssap:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded


If the following response is received, it implies the presence of the vulnerability:

Could not connect to the CBS.

About RedRays

RedRays is a premier cybersecurity enterprise that safeguards ERP systems against internal fraudulent activities and external cyber threats. We take pride in delivering robust security solutions for large corporations and managed service providers that depend on major ERP systems like SAP, Oracle, and Microsoft. Utilizing advanced tools and strategies, we proactively supervise and control security in extensive SAP environments globally.

Our primary goal is to bridge the security gap from both a technical and business perspective, ensuring our clients’ seamless operations and safeguarding their precious data. We at RedRays, are committed to upholding top-tier security standards while providing extraordinary client service and assistance.

About RedRays R&D

The cornerstone of RedRays’ accomplishments lies in our research and development (R&D) unit, specializes in studying and analyzing vulnerabilities in essential corporate applications. Our R&D initiatives have earned acknowledgment and admiration from leading software firms such as SAP, Oracle, Microsoft Dynamics, and IBM. This dedication to research enables us to anticipate emerging threats and craft bespoke security solutions that cater to our clients’ needs.

Our team comprises seasoned professionals with diverse skill sets spanning various security domains, such as vulnerability evaluation, penetration testing, incident management, and threat intelligence. Our commitment is to perform rigorous research and deliver avant-garde solutions to fortify SAP systems against ever-changing threats.

Send message

More to explorer

RedRays at Black Hat MEA 2023


SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.