SAP NetWeaver is a technology platform for building and integrating SAP business applications.
The NetWeaver management console exposes an authenticated SOAP web service interface. During the authentication phase, user-supplied values within in the SOAP request are passed as parameters to a child process. In NetWeaver 7.02 and prior, the parameters are not properly validated and may allow an attacker to execute arbitrary commands on the server.
An update is available through the SAP customer portal. Please see SAP Security Note 1341333 (login required).
This exploit has been tested against SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).