A new critical vulnerability (CVE-2020-6287) in SAP’s Enterprise Resource Planning (ERP) applications has been disclosed and a patch was released by SAP on July 13th, 2020. Any corporation using SAP should check if they are using a vulnerable application and install the patch immediately. If an organization is unable to patch immediately, it should disable the LM Configuration Wizard service (SAP Security Note #2939665) to mitigate the vulnerability until they are able to patch their system. According to an alert from the US Cybersecurity and Infrastructure Security Agency, they strongly recommend organizations patch immediately, but they are unaware of any active exploitation of this vulnerability. The vulnerability affects the default configuration in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer version up to 7.5. By exploiting this through Hypertext Transfer Protocol (HTTP), a remote unauthenticated attacker can gain unrestricted access to SAP systems by creating privileged user accounts and the execution of arbitrary operating system commands with the privileges of the SAP user account <sid>adm, which has unrestricted access to the SAP database and is able to shut down federated SAP applications, along with other maintenance activities. All of this could allow an attacker access to any confidential information about an organization within SAP.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in