Threat Advisory: Critical Vulnerability in SAP NetWeaver AS Java (CVE-2020-6287)

July 17, 2020

SAP has released a security update to address the critical vulnerability, CVE-2020-6287, discovered in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. This vulnerability is found in SAP applications running NetWeaver AS Java 7.3 up to 7.5. Since the SAP NetWeaver AS for Java supports the SAP Portal component (which is commonly exposed to the Internet), it is possible that this vulnerability is publicly exposed as well.

The vulnerability is caused by a lack of authentication in a web component of SAP NetWeaver AS for Java that allows high-privileged activities on the SAP system. Threat actors can gain unrestricted access by creating user accounts and using them to execute operating system commands with the privilege level of the SAP service account which has unrestricted access to the SAP database and the ability to perform application maintenance actions.

Successful exploitation of this vulnerability via the Hypertext Transfer Protocol (HTTP) allows an unauthenticated user to take control of trusted SAP applications, leading to the SAP NetWeaver Application Server being compromised.

Herjavec Group highly recommends that organizations apply the patch immediately due to the criticality of the vulnerability and the expanded attack surface. If organizations are unable to patch affected systems, the vulnerability can also be mitigated by disabling the LM Configuration Wizard service. Monitoring SAP NetWeaver AS for anomalous activity is highly advised.  

Herjavec Group circulates US – CERT advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn