PRIVATE_FEEDS/CVE_VULN_FEED/CVE-2020-6287-sap_netweaver_rce/alert_text.md

Date: 2020-07-14

On July 13, 2020 EST, SAP released a security update to address a critical vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard / CVSS: 10.0

An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.

Affected Netweaver-Versions:

• 7.3 up to 7.5

False-Positive-Level: very possible The confidence-Level of Netweaver-Installations is very high, but we cannot detect the version 100% reliable. Please check which versions are used and check the advisory, listed below. From the data we gathered, if we were able to idenitfy the Netweaver-Version, 80% were vulnerable.

we found various IPs in your ORG/ASN, matching criteria for possible vulnerable systems

please find a list of affected IPs below and more information on that problem here:

References:

• https://us-cert.cisa.gov/ncas/alerts/aa20-195a
• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675