CISA: Patch Critical SAP RECON Bug Now

The US government is urging SAP customers to patch a critical vulnerability published earlier this week, which could affect as many as 40,000 customers.

Released as part of the software giant’s July patch update round, CVE-2020-6287 affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.

According to an alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the bug is introduced thanks to a lack of authentication in the component.

“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,” it explained.

“The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.”

As SAP NetWeaver AS Java supports a large range of SAP applications, the potential impact is severe. These include: SAP Enterprise Resource Planning, Product Lifecycle Management, Customer Relationship Management, Supply Chain Management, Supplier Relationship Management, NetWeaver Business Warehouse, Business Intelligence, NetWeaver Mobile Infrastructure, Enterprise Portal, Process Orchestration/Process Integration, Solution Manager, NetWeaver Development Infrastructure, Central Process Scheduling, NetWeaver Composition Environment, and Landscape Manager.

Onapsis Research Labs, which discovered the vulnerability, named it RECON and warned that the CVSS 10.0 bug could affect more than 40,000 global SAP customers.

It could allow remote attackers to steal PII from employees, customers and suppliers, delete or modify financial records, change banking details, disrupt operations and much more, the vendor claimed.

“The business impact of a potential exploit targeting RECON could be financial loss, compliance violations and reputation damage for the organization experiencing a cyber-attack,” it added.

What’s Hot on Infosecurity Magazine?