CISA Alert: Critical Vulnerability in SAP NetWeaver AS Java

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a new alert about a previously undisclosed vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, CISA strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems. CISA reports it is unaware of any active exploitation of these vulnerabilities at the time of this report. However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems. Additionally, it notes that malicious actors have previously been observed exploiting other vulnerabilities in SAP Netweaver. Read the alert at CISA.