CVE-2020-6287

What is SAP NetWeaver AS Java?

SAP NetWeaver Application Server Java (AS Java) is the Java-based application server component of SAP NetWeaver, used to run SAP applications such as SAP Enterprise Portal, SAP Process Integration/Orchestration, and SAP Solution Manager. SAP NetWeaver powers the vast majority of large enterprise ERP, HR, finance, and supply chain systems globally. The Life-cycle Management (LM) Configuration Wizard (accessible at /ctc/dispatcher/) is an administrative tool for initial setup and post-installation configuration of SAP NetWeaver components. This wizard allows creating and modifying SAP administrative accounts — a capability that should be strictly access-controlled. Missing authentication on the configuration wizard endpoint allows anyone who can reach the SAP system network to perform the same actions as a system administrator.

Overview

CVE-2020-6287, named RECON (Remotely Exploitable Code On NetWeaver) by Onapsis, is a missing authentication (CWE-306) vulnerability in SAP NetWeaver AS Java's LM Configuration Wizard that allows an unauthenticated attacker to access configuration endpoints and create new SAP system administrative users. With a CVSS score of 10.0 — the maximum — and Scope: Changed reflecting that SAP administrator access affects all SAP-integrated business processes, RECON was immediately recognized as one of the most severe enterprise software vulnerabilities in years. Onapsis estimated 40,000+ SAP NetWeaver systems were internet-accessible. SAP patched it in Security Note 2934135 (July 2020). NSA and CISA issued a joint advisory in April 2021 confirming exploitation by sophisticated threat actors.

Affected Versions

Technical Details

• Root cause: Missing authentication for critical function (CWE-306) — the SAP NetWeaver LM Configuration Wizard servlet (/ctc/dispatcher/) exposes configuration endpoints that should require administrator authentication; the authentication check is absent or bypassable, allowing any unauthenticated HTTP request to invoke configuration functions including user creation, system parameter modification, and component configuration
• Admin user creation: The most immediate exploitation path: an unauthenticated attacker sends an HTTP POST to the LM Config Wizard endpoint to create a new SAP administrative user with any chosen credentials; this new user has full SAP system administrator access, bypassing SAP's role-based authorization framework entirely
• CVSS 10.0 / S:C: The maximum score reflects the complete combination of no-credential network attack with scope change — SAP administrator access affects all business-critical data in the SAP system: financial records, HR data, supply chain configuration, customer information, and all integrated business processes; scope changes because compromising one SAP component affects the entire SAP landscape
• Enterprise ERP impact: SAP systems contain the most sensitive business data in large organizations — financial statements, payroll, purchasing orders, personnel records, pricing data, and strategic business intelligence; RECON grants access to all of it without credentials
• Internet exposure: Onapsis identified 40,000+ SAP NetWeaver systems accessible from the internet via Shodan and other search engines; many of these were enterprise SAP portals and Solution Manager deployments that are intentionally internet-facing; none of these should have had the LM Config Wizard accessible
• NSA/CISA attribution: The April 2021 NSA/CISA joint advisory confirmed that sophisticated threat actors exploited CVE-2020-6287 against US and global organizations, indicating nation-state and financially-motivated actors developed working exploits

Discovery

Discovered by Onapsis Research Labs, which reported RECON to SAP and coordinated simultaneous patch release and public disclosure on July 14, 2020. Onapsis also provided a detection script to help organizations identify whether their NetWeaver systems were vulnerable.

Exploitation Context

SAP systems are uniquely valuable targets because they are the authoritative source for critical business data across large enterprises and government organizations. An attacker with SAP administrator access can extract entire databases of financial, personnel, and supply chain data; modify financial records or purchase orders; pivot to connected systems via SAP integration interfaces (RFC, BAPIs, IDocs); and access SAPgui connections to backend databases. The combination of massive enterprise deployment, internet accessibility of many SAP Portal and Solution Manager instances, and the completely unauthenticated nature of RECON made this one of the most impactful enterprise vulnerabilities of 2020. Nation-state actors with industrial espionage objectives are particularly interested in SAP access given the business intelligence available.

Remediation

1. Apply SAP Security Note 2934135 immediately for all affected SAP NetWeaver AS Java versions — this patches the LM Configuration Wizard authentication gap
2. Run the Onapsis RECON detection script (or SAP's own assessment tools) to verify all NetWeaver systems are patched and the LM Config Wizard is no longer accessible without authentication
3. Restrict internet access to SAP NetWeaver AS Java systems — the LM Configuration Wizard should never be internet-accessible; implement network controls to block external access to /ctc/dispatcher/ and /ctc/ endpoints
4. Audit SAP user accounts: review the SAP user master data (transaction SU01, SU10) for any unauthorized administrative accounts created before or after the patch; delete any unrecognized administrator accounts
5. Review SAP audit logs (Security Audit Log, System Log) for unauthorized administrative actions, user creation events, or configuration changes that may have occurred during the exploitation window
6. Assess connected systems: SAP administrators can access RFC destinations, database connections, and integration interfaces — audit all connected systems for unauthorized access if exploitation is suspected
7. Apply SAP Security Notes on a regular schedule; SAP releases critical patches monthly and immediately for critical vulnerabilities outside the regular cycle