Exploiting SAP Crystal Report’s Vulnerability in 2025

In 2020, SAP disclosed CVE-2020-6219, a deserialization-based Remote Code Execution (RCE) vulnerability in the Crystal Report Viewer. Fast forward to 2025, and we revisited this flaw developing a practical exploitation path that highlights just how dangerous it remains in real-world scenarios.

Author Cenobe
Cyber Security
Articlebanner

SAP Crystal Server is a business intelligence (BI) reporting and dashboarding platform designed for small to medium-sized businesses. It enables organizations to securely share reports, dashboards, and data visualizations across teams.

We confirmed the presence of an unauthenticated RCE vulnerability in the Crystal Report Viewer function. This issue doesn’t only impact SAP Crystal Server, it extends to any product that integrates SAP Report Viewer as a third-party solution for viewing, creating, or updating reports.

Although this vulnerability has been publicly known for some time, awareness remains surprisingly low, leaving many organizations unknowingly exposed to potential attacks.

In this post, we provide a detailed technical analysis of the vulnerability, breaking down its inner workings and explaining how it can be exploited in real-world scenarios.

The vulnerability

Within the CrystalDecisions.Web.CrystalReportViewerBase.LoadViewState function, the application processes the incoming request by retrieving the JSON payload and extracting the viewerState parameter for further handling.

 It then deserializes the extracted data using the LosFormatter format.

 The problem is how to reach this function.

CrystalReportViewerBase is inherited by 3 classes: ReportExporter, CrystalReportPartsViewer, and CrystalReportViewer, corresponding to their tags

 The main challenge is how to reach this function in a real-world scenario.

The CrystalReportViewerBase class is inherited by three components:

  • ReportExporter,
  • CrystalReportPartsViewer, and
  • CrystalReportViewer,

each corresponding to their respective ASP.NET tags.

 The next step is to locate a valid, unauthenticated ASPX file that utilizes one of the tags mentioned above.

When installing SAP Crystal Server on a Windows Server, the setup typically creates an IIS AppPool under the DefaultAppPool root. This includes the following default endpoints:

  • /aspnet_client/system_web/2_0_50727/crystalreportviewers/
  • /aspnet_client/system_web/4_0_30319/crystalreportviewers/

which correspond to ASP.NET versions 2.x and 4.x, respectively—even if no additional deployment is performed.

 Inside this folder, there is a preview.aspx file that perfectly matches our requirements and it is accessible without authentication.

When accessing this file, the page appears blank at first glance; however, by viewing the page source, we can see the viewerState value, which is an object serialized in LosFormatter format.

We combined it with a gadget chain from ysoserial.net to inject payloads and print the output into the HTTP response successfully achieving unauthenticated Remote Code Execution (RCE).

We also identified several third-party products that integrate Crystal Report Viewer for report handling and found them to be vulnerable as well. We strongly recommend reviewing your product and applying updates as soon as possible, especially for any pages that utilize the ReportExporter, CrystalReportPartsViewer, or CrystalReportViewer tags.

In the patched version, SAP developers introduced an encrypt/decrypt step before deserialization, using an AES key and IV to secure the process.

 If the key is not retrieved from the specific registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Suite XI 4.0\Crystal Reports\KeyPair,
it will be randomly generated by default. However, if an attacker is able to inject a malicious AES key into this registry key, it could effectively serve as a backdoor into the system.

Recommendation

If you are using the ReportExporter, CrystalReportPartsViewer, or CrystalReportViewer tags, we strongly recommend updating your Crystal Report Viewer to version 13 or higher as soon as possible.

Additionally, review the registry key located at:
HKEY_LOCAL_MACHINE\SOFTWARE\SAP BusinessObjects\Suite XI 4.0\Crystal Reports\KeyPair
and ensure that you are the one who created it. If not, delete the key immediately to prevent potential backdoor risks. 

We are proud to partner with RedRays in providing advanced SAP penetration testing services. Together, we deliver high-end security assessments and tailored mitigation strategies to safeguard your business-critical SAP environments against emerging threats.

◀ back to blog