Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization.
The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This lets unauthorized users create new admin accounts via HTTP, granting miscreants full access: it’s rated 10 out of 10 in terms of severity. The vulnerable Java component is used throughout much of SAP’s product line, so it would be a good idea to check for updates on any SAP code running on your network.
To exploit the flaw, a hacker just needs to be able to reach the software over the network, or the internet if it is public facing.
Onapsis said it reported the flaw to SAP on May 27. The bug was confirmed later that day and, on June 8, was issued a CVSS score of 10. The flaw was kept under wraps until July 14, when SAP could put out a patch (support note 2934135) as part of its scheduled monthly security update cycle.