Hackers Scanning the Internet Massively to Exploit SAP Recon Vulnerability

Hackers never miss a chance to target an organization’s network and compromise valuable information by attacking its sister products and services. In May 2020, researchers at Onapsis identified a CVSS 10/10 vulnerability in some SAP systems, and recently some hackers were found scanning the internet in an attempt to exploit this vulnerability.


The RECON vulnerability

In mid-July 2020, researchers reported about RECON (Remotely Exploitable Code On NetWeaver), a vulnerability tracked as CVE-2020-6287, exposing thousands of SAP Systems to cyberattacks.
  • Attackers were seen aggressively scanning the Internet massively for the SAP systems with RECON vulnerability.
  • More than 40,000 SAP customers and at least 2,500 systems in North America (33%), Europe (29%), and the Asia-Pacific region (27%) were found vulnerable.
  • The vulnerability existed due to a lack of authentication in a web component of the SAP NetWeaver AS Java, used in many SAP business solutions, including SAP SCM, SAP CRM, SAP PI, SAP Enterprise Portal and SAP Solution Manager (SolMan).


Impact and exploitation

The vulnerability could impact every SAP application like S/4HANA, Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Customer Relationship Management (CRM), and more running on top of SAP NetWeaver AS Java versions 7.3 through 7.5.


SAP Security Patch Day

  • SAP released the updates to fix the critical RECON vulnerability in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50.
  • The FBI's CISA urged organizations to patch or mitigate the vulnerability with Internet-facing systems, following that Internal systems are also recommended to update.


A less severe vulnerability

In the same duration, a proof-of-concept (POC) exploit was released for another path traversal vulnerability (CVE-2020-6286) that could allow the download of any zip file from a vulnerable SAP server.