PoC exploits released for SAP Recon vulnerabilities, patch now!

Just two days after SAP released patches for a critical NetWeaver AS JAVA remote code execution vulnerability, proof-of-concept (PoC) exploits have been released, and active scans are underway to exploit devices.

Discovered by Onapsis, The RECON (Remotely Exploitable Code On NetWeaver) vulnerability is tracked as CVE-2020-6287 and is rated with a maximum CVSS score of 10 out of 10.

If exploited, it could allow unauthenticated, remote attackers to gain full access to the vulnerable systems. These systems could then be used as launching pads for further attacks within a corporate network.

Another vulnerability tracked as CVE-2020-6286 was also patched on Monday that “allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.”

According to Onapsis’ estimates, more than 40,000 SAP customers could be affected by this security flaw.

Due to the severity of this vulnerability and the businesses that use these devices, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) strongly recommended that all customers install the patches immediately.

PoCs released, and active scans detected

Today a PoC exploit for both vulnerabilities was released on GitHub, and it is strongly advised that all affected SAP NetWeaver customers install these patches as soon as possible.



The PoC seen by BleepingComputer does not perform remote code execution but does utilize the path traversal vulnerability to download ZIP files from the vulnerable system.

It is not clear what is contained in these ZIP files at this time. BleepingComputer has reached out to the researcher for more information.

Threat intelligence company Bad Packets has told BleepingComputer that he has detected active reconnaissance scans for these vulnerabilities.

Now that a PoC is available, it is expected that APT groups, state-sponsored hackers, and ransomware operators will, if not already, use these vulnerabilities to try and breach corporate networks.

Patch now!


Next Post

Watch artificial intelligence learn to simulate sloppy mixtures of water, sand, and ‘goop’ | Science

Thu Jul 16 , 2020
By Matthew HutsonJul. 15, 2020 , 11:30 AM When scientists or special effects wizards want to simulate a flood or visualize an asteroid impact, they turn to programs called physics engines. But handcrafting such software to match nature requires time and expertise. Now, researchers have found a way for artificial […]