Critical Vulnerability in SAP Products, Exploitation Could Grant Full Control

Summary

Multiple vulnerabilities were discovered in SAP products. The most severe of which – dubbed RECON – could allow an unauthenticated, remote threat actor to create a SAP user account with maximum privileges on internet-exposed SAP applications, granting the user full control over affected systems. The RECON vulnerability is found in the default component included in the SAP applications running the NetWeaver Java technology stack and is trivial to exploit. The NetWeaver Java technology stack is used in some of SAP’s most popular products, including SAP S/4HANA, SAP CRM, SAP Enterprise Portal, SAP Solution Manager (SolMan), SAP SCM, and any other SAP applications running the stack. Onapsis researchers discovered about 2,500 internet-exposed SAP systems vulnerable to RECON. Proof of concept exploits have been released and active scans have been detected. Experts believe exploitation could begin in a matter of days. These vulnerabilities put impacted governments and businesses at high risk if not patched.

Recommendations

The NJCCIC highly advises administrators of impacted SAP applications to apply updates as soon as possible after appropriate testing to patch the RECON bug, along with several other vulnerabilities. More information, including a list of vulnerable products, can be found in the SAP Security Patch Day notes and the CISA alert.