Users Urged to Patch Critical Flaw in SAP NetWeaver ASIf Exploited, Attackers Could Gain Full Control of Sensitive Operations
Cybersecurity experts are pushing organizations to immediately patch a critical zero-day vulnerability in SAP's NetWeaver Application Server because threat actors are likely searching for networks that are susceptible to the flaw, dubbed CVE-2020-6287.
On Wednesday, security firm Bad Packets spotted a proof-of-concept exploit for this SAP vulnerability, although the researcher who posted it on GitHub stressed it's for education and testing purposes only.
PoC for CVE-2020-6286 and CVE-2020-6287 has been published to GitHub. Patch now! https://t.co/SH3IPwAcEr— Bad Packets (@bad_packets) July 15, 2020
SAP NetWeaver Application Server is widely used - often as the framework to help protect an organization's most important data, according to the Cybersecurity and Infrastructure Security Agency, which issued an alert about the flaw on Monday. The vulnerability, which is also called RECON, is in SAP NetWeaver Application Server Java component LM Configuration Wizard versions 7.30, 7.31, 7.40 and 7.50.
"Due to the criticality of this vulnerability, the attack surface this vulnerability represents and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency strongly recommends organizations immediately apply patches,” the CISA advisory states. “CISA recommends organizations prioritize patching internet-facing systems, and then internal systems."
This is the second time in less than two months SAP has had to patch critical vulnerabilities. In June, researchers at the security firm Trustwave disclosed six vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software (see: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE).
Bob Huber, CSO at security firm Tenable, notes that exploiting this latest vulnerability could give an attacker control over extremely sensitive operations.
"The SAP Netweaver vulnerability could impact over 40,000 enterprises globally and would give adversaries free rein over mission-critical applications, including supply chain management and enterprise resource planning," Huber tells Information Security Media Group.
A full, malicious exploit has not been spotted in the wild, but one could quickly emerge, says Casey Ellis, CTO and founder of bug hunting firm Bugcrowd.
"Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting," Ellis says.
The CISA alert notes that the vulnerability was identified in a component that is part of the SAP NetWeaver AS Java. This technology stack is part of the SAP Solution Manager, which is a support and system management suite. The vulnerability is viable due to the lack of authentication in a web component of the SAP NetWeaver AS for Java, which allows for several high-privileged activities on the SAP system.
"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (
If an organization cannot immediately patch this vulnerability, CISA recommends mitigating the vulnerability by disabling the LM Configuration Wizard service. If this cannot be done or is expected to take more than 24 hours to complete, CISA strongly recommends closely monitoring SAP NetWeaver AS for anomalous activity.
Patching is also a priority because any organization that is compromised could find itself open to regulatory consequences for violating the U.S. Sarbanes-Oxley Act or the European Union's General Data Protection Regulation, Huber says.
"This vulnerability would give cybercriminals access to highly sensitive and private data, with potential economic, physical and social consequences. This includes theft of IP and trade secrets, releasing fraudulent payments and modifying financial records," Huber says.