Just two days after SAP released patches for a critical NetWeaver AS JAVA remote code execution vulnerability, proof-of-concept (PoC) exploits have been released, and active scans are underway to exploit devices.
If exploited, it could allow unauthenticated, remote attackers to gain full access to the vulnerable systems. These systems could then be used as launching pads for further attacks within a corporate network.
Another vulnerability tracked as CVE-2020-6286 was also patched on Monday that “allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.”
According to Onapsis’ estimates, more than 40,000 SAP customers could be affected by this security flaw.
Due to the severity of this vulnerability and the businesses that use these devices, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) strongly recommended that all customers install the patches immediately.
PoCs released, and active scans detected
Today a PoC exploit for both vulnerabilities was released on GitHub, and it is strongly advised that all affected SAP NetWeaver customers install these patches as soon as possible.
The PoC seen by BleepingComputer does not perform remote code execution but does utilize the path traversal vulnerability to download ZIP files from the vulnerable system.
It is not clear what is contained in these ZIP files at this time. BleepingComputer has reached out to the researcher for more information.
Threat intelligence company Bad Packets has told BleepingComputer that he has detected active reconnaissance scans for these vulnerabilities.
Now that a PoC is available, it is expected that APT groups, state-sponsored hackers, and ransomware operators will, if not already, use these vulnerabilities to try and breach corporate networks.