CVE-2020-6287

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 through 7.50

Description: The vulnerability is related to missing authentication for critical functions in the SAP NetWeaver Java Application Server. This issue allows an attacker to execute configuration tasks without prior authentication, potentially compromising the confidentiality, integrity, and availability of the system. The attacker can create an administrative user, leading to a missing authentication check. The vulnerability has been exploited in real-world incidents, with reports of mass scanning for vulnerable servers. Financial institutions, hospitals, and government entities are among the affected industries.

Recommendations: For SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 through 7.50, apply the patches made available by SAP to fix the missing authentication check. As a temporary workaround, consider restricting access to the LM Configuration Wizard to minimize the risk of exploitation. Avoid using the vulnerable component until a patch is applied.