This article is more than 1 year old

So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You'll want to patch this

10 out of 10: Great in a test score, less good when it's for the severity of a flaw

SAP customers should update their installations to close a security vulnerability that can be exploited to commandeer the software by anyone who can reach it.

Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP's NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization.

The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This lets unauthorized users create new admin accounts via HTTP, granting miscreants full access: it's rated 10 out of 10 in terms of severity. The vulnerable Java component is used throughout much of SAP's product line, so it would be a good idea to check for updates on any SAP code running on your network.

To exploit the flaw, a hacker just needs to be able to reach the software over the network, or the internet if it is public facing.

"The RECON vulnerability affects a default component present in every SAP application running the SAP NetWeaver Java technology stack," said Onapsis. "This technical component is used in many SAP business solutions, including SAP SCM, SAP CRM, SAP PI, SAP Enterprise Portal and SAP Solution Manager (SolMan), impacting more than 40,000 SAP customers."

Customers running NetWeaver 7.30, 7.31, 7.40, 7.50 or earlier should update their software to close off the vulnerability. Onapsis believed the flaw is particularly dangerous because the NetWeaver apps in question tend to be put out on the network and public internet – think of things like customer-facing apps and internal tools for employees or business partners.


SAP rolls out early Q2 numbers, says 18% decline in licensing revenue is an 'improvement'


Onapsis reckoned there are at least 2,500 potentially vulnerable SAP installations exposed online, with 33 per cent in North America, 29 per cent in Europe, and 27 per cent in Asia-Pacific. The security house also believes that the bug could put companies at risk of government compliance fines, depending on the data being shared.

"Because of the type of unrestricted access an attacker could obtain, this vulnerability may also constitute a deficiency in an enterprise’s IT controls for regulatory mandates," said Onapsis. "Potentially impacting financial (Sarbanes-Oxley) and privacy (GDPR) compliance."

The warning was backed up by US-CERT, which urged admins to update their software as soon as possible.

"Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches," said the American computer security body.

"CISA recommends organizations prioritize patching internet-facing systems, and then internal systems."

Onapsis said it reported the flaw to SAP on May 27. The bug was confirmed later that day and, on June 8, was issued a CVSS score of 10. The flaw was kept under wraps until July 14, when SAP could put out a patch (support note 2934135) as part of its scheduled monthly security update cycle. ®

More about


Send us news

Other stories you might like