Security Advisory:

Critical Bug Gives Attackers Control of Vulnerable SAP Business Applications

20 July 2020

SAP has issued patches to fix a critical RECON (Remotely Exploitable Code On Netweaver) vulnerability that can lead to total compromise of vulnerable SAP installations. It has been assigned the highest risk score of 10 on the Common Vulnerability Scoring System (CVSS), the most severe rating possible.

If exploited, CVE-2020-6287, would give a malicious actor full access to the affected system, including the ability to create a new SAP user with maximum privileges, alter financial records, corrupt data, delete or change logs and traces, harvest personally identifiable information and other actions that could put organisations at severe risk.

The vulnerability, which can be launched via HTTP over an internet-facing interface, affects a default element present in every SAP application running on top of the SAP NetWeaver AS Java 7.3 and upwards. This includes SAP SCM, SAP Solution Manager, SAP PI and SAP Enterprise Portal. Impacting over 40,000 of their customers, with at least 2,500 vulnerable systems currently exposed to the internet.

Organisations must apply the relevant patches immediately, prioritising internet-facing systems, and then internal systems. Those unable to patch straight away should mitigate the vulnerability by disabling the LM Configuration Wizard service. In addition, continue monitoring your SAP NetWeaver AS for anomalous activity over the coming days.