Skip to main content

SAP patches critical NetWeaver flaw that could compromise thousands of customers

(Image credit: Image Credit: 360b / Shutterstock)

A critical vulnerability with a severity score of 10/10 was found in a SAP product and successfully patched, the company confirmed earlier this week.

SAP reported that its NetWeaver AS JAVA tool, used by approximately 40,000 businesses, was vulnerable to what’s known as the RECON vulnerability (Remotely Exploitable Code On NetWeaver).

The flaw could allow hackers to fully compromise a target system, according to the security team from Onapsis responsible for the discovery. The researchers believe RECON was made possible by a lack of authentication in the SAP NetWeaver AS for Java web component.

All versions from 7.30 to 7.50 are affected, it was added.

"If exploited, an unauthenticated attacker (no username or password required) can create a new SAP user with maximum privileges, bypassing all access and authorisation controls (such as segregation of duties, identity management, and GRC solutions) and gaining full control of SAP systems," Onapsis explained.

"The RECON vulnerability is particularly dangerous because many of the affected solutions are often exposed to the internet to connect companies with business partners, employees, and customers, which drastically increases the likelihood of remote attacks."

Of the 40,000 potentially affected systems, at least 2,500 were directly connected to the internet, Onapsis added.

The vulnerability was issued a tracking number CVE-2020-6287. A full list of all the SAP business solutions using NetWeaver, and thus affected by RECON, has been compiled by Bleeping Computer.