The software and technology solutions maker SAP has released a security update to address a serious vulnerability which puts more than 40,000 of its customers at risk of cyber attacks.

The flaw, tracked as CVE-2020-6287, has received a severity score of 10 out of 10 on the CVSS scale. The bug affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard and is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5).

The vulnerability called RECON (short for Remotely Exploitable Code On NetWeaver) exists due to the lack of authentication in an SAP NetWeaver AS for Java web component allowing for several high-privileged activities on the affected SAP system.

By exploiting this flaw, a remote, unauthenticated attacker could create a new SAP user with the highest privileges, and thus fully compromise vulnerable SAP installations, which would allow the attacker to steal or modify highly sensitive information, or disrupt critical business processes. CVE-2020-6287 can be exploited via an HTTP interface, which is typically exposed to end users and, in many cases, exposed to the internet.

The vulnerability potentially impacts the following SAP Java-based solutions (but not limited to):

• SAP Enterprise Resource Planning,

• SAP Product Lifecycle Management,

• SAP Customer Relationship Management,

• SAP Supply Chain Management,

• SAP Supplier Relationship Management,

• SAP NetWeaver Business Warehouse,

• SAP Business Intelligence,

• SAP NetWeaver Mobile Infrastructure,

• SAP Enterprise Portal,

• SAP Process Orchestration/Process Integration),

• SAP Solution Manager,

• SAP NetWeaver Development Infrastructure,

• SAP Central Process Scheduling,

• SAP NetWeaver Composition Environment,

• SAP Landscape Manager.

Administrators of SAP systems are urged to apply SAP's patches as soon as possible.