The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on a critical vulnerability in SAP NetWeaver AS Java. The vulnerability could allow an unauthenticated attacker to use HTTP for takeover of applications built using NetWeaver.
The vulnerability, CVE-2020-6287, involves a lack of authentication in a web component of NetWeaver AS Java. Because of the nature of the components, applications across a broad swath of business-critical enterprise SAP installations could be affected.
Dubbed "Remote Exploitable Code on Netweaver" (RECON) by the researchers at Onapsis who discovered it, the vulnerability has been given a CVSS score of 10, the most critical.
SAP has issued a patch for the vulnerability. Both SAP and CISA urge SAP customers to apply the patch immediately.
Read more here.