Exploitation of the bug can allow an attacker to lift sensitive information, delete files, execute code, carry out sabotage and more.

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.

SAP’s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information.

According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.

The bug (CVE-2020-6287) has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP delivered a patch for the issue on Tuesday as part of its July 2020 Security Note.

“It stands for Remotely Exploitable Code On NetWeaver,” Mariano Nunez, CEO of Onapsis, told Threatpost. “This vulnerability resides inside SAP NetWeaver Java versions 7.30 to 7.50 (the latest version as of [our analysis publication]. All Support Packages tested to date were vulnerable. SAP NetWeaver is the base layer for several SAP products and solutions.”

An attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios, according to the firm.

#vulnerabilities #code execution #dhs alert #patch #sap #system takeover #vulnerability