SAP patches bug impacting most of its apps and customer base.
Business giant SAP released a patch today for a major vulnerability that impacts the vast majority of its customers. The bug, codenamed RECON, exposes companies to easy hacks, according to cloud security firm Onapsis, who discovered the vulnerability earlier this year, in May, and reported it to SAP to have it patched.
Onapsis says RECON allows malicious threat actors to create an SAP user account with maximum privileges on SAP applications exposed on the internet, granting attackers full control over the hacked companies‘ SAP resources.
The vulnerability is easy to exploit and resides in a default component included in every SAP application running the SAP NetWeaver Java technology stack — namely in the LM Configuration Wizard component part of the SAP NetWeaver Application Server (AS).
The component is used in some of SAP’s most popular products, including SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, and SAP Solution Manager (SolMan).
Other SAP applications running the SAP NetWeaver Java technology stack are also impacted.
