CVE-2020-6287: 
SAP NetWeaver Application Server Java vulnerability analysis and mitigation

CVE-2020-6287, known as RECON (Remotely Exploitable Code On NetWeaver), is a critical vulnerability discovered in SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, and 7.50. The vulnerability was disclosed in July 2020 and is characterized by a missing authentication check that allows unauthenticated attackers to execute configuration tasks and perform critical actions against SAP Java systems. The vulnerability affects more than 40,000 SAP customers, with approximately 2,500 systems directly exposed to the internet (Onapsis Report, CISA Alert).

The vulnerability has received the highest possible CVSS v3.1 base score of 10.0 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The flaw resides in a default component present in every SAP application running the SAP NetWeaver Java technology stack. The vulnerability is caused by a complete lack of authentication in the SAP NetWeaver AS Java's LM Configuration Wizard, specifically in the CTCWebService SOAP endpoint (NVD, Tenable Blog).

A successful exploit allows an unauthenticated attacker to create administrative users, execute arbitrary operating system commands with SAP service user account privileges, and gain unrestricted access to SAP systems. This includes the ability to modify financial records, steal personally identifiable information, corrupt data, delete or modify logs and traces, and compromise the confidentiality, integrity, and availability of the system. The vulnerability affects various SAP business solutions including SAP Enterprise Resource Planning, Product Lifecycle Management, Customer Relationship Management, Supply Chain Management, and others (CISA Alert, Onapsis Report).

SAP released security patches in SAP Security Note #2934135 to address this vulnerability. Organizations are strongly recommended to prioritize patching, starting with internet-facing systems followed by internal systems. If immediate patching is not possible, organizations can mitigate the vulnerability by disabling the LM Configuration Wizard service (SAP Security Note #2939665). CISA recommends closely monitoring SAP NetWeaver AS for anomalous activity if these options are unavailable or will take more than 24 hours to implement (CISA Alert).

The vulnerability received significant attention from the cybersecurity community due to its critical nature. CISA issued an alert (AA20-195A) highlighting the severity of the vulnerability and providing detailed mitigation guidance. The discovery led to collaboration between Onapsis Research Labs and the SAP Security Response Team to address the vulnerability quickly (CISA Alert, Onapsis Report).