Shielding the Remote Execution of Code On NetWeaver (RECON) Vulnerability

Organisations with unpatched SAP systems are currently at high risk for attacks exploiting the Remote Execution of Code On NetWeaver (RECON) Vulnerability.
RedShield has developed custom shield objects which immediately fix the RECON vulnerability, without touching a single line of SAP application code to ensure critical data within SAP systems remains secure.


What’s happened? 

SAP disclosed two new critical vulnerabilities in the SAP NetWeaver Application Server on July 13, that allow attackers to gain remote access and complete control over SAP systems. This application is considered a critical part of the SAP stack, and many SAP solutions are affected by these vulnerabilities. Approximately 40,000 SAP customers are potentially affected.

In July 2020, SAP Security noted the RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 (the most severe) and can potentially be exploited, impacting the confidentiality, integrity, and availability of mission-critical SAP applications.

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert recommending organizations immediately perform patches. If unable to do so within 24 hours, CISA strongly recommends monitoring for suspicious activity.

Risks and business impacts from the RECON vulnerability

If a malicious user is able to successfully exploit the RECON vulnerability, they can create their own account in SAP systems with maximum privileges, allowing them to:

  • steal personally identifiable information (PII), which may violate privacy regulations (e.g. GDPR, CCPA);
  • access, delete, or manipulate financial records and banking details; and
  • perform other admin functions such as deleting or modifying database records, traces, logs, and other files.

As the SAP NetWeaver Java is a base layer for many SAP products, exploiting this vulnerability may allow an attacker to leverage the connected systems and access further business-critical data and PII.

SAP solutions potentially affected

This particular vulnerability is found in SAP NetWeaver Java versions 7.30 to 7.50. SAP NetWeaver is a base component for a broad range of SAP products and solutions. These include:

  • SAP Solution Manager (SolMan) 7.2
    Note, SAP Solution Manager (SolMan) is deployed in nearly every SAP environment, meaning all SAP customers running the Business Suite and S/4HANA will have at least one system affected by the vulnerability
  • SAP Enterprise Resource Planning (ERP)
  • SAP HR Portal
  • SAP Supply Chain Management (SCM)
  • SAP CRM (Java Stack)
  • SAP Enterprise Portal
  • SAP Landscape Management (SAP LaMa)
  • SAP Process Integration/Orchestration (SAP PI/PO)
  • SAP Supplier Relationship Management (SRM)
  • SAP NetWeaver Mobile Infrastructure (MI)
  • SAP NetWeaver Development Infrastructure (NWDI)
  • SAP NetWeaver Composition Environment (CE)

Get protected against identified RECON vulnerabilities with RedShield’s custom shields

Some items can be addressed by blocking malicious traffic, but not all. In many cases functional code changes will be required. This is where RedShield’s combination of unique technology and services are valuable.

RedShield has developed custom ‘shields’ to protect against RECON. Shields are custom code objects, designed to shield vulnerabilities at the proxy layer, ensuring attacks are harmless before they reach your application.

This means you can shield the known vulnerability virtually, removing any risk, without having to touch a single line of SAP code. This can be done for any old, legacy and new SAP applications, API’s – all sorts. Using their unique fat proxy architecture, RedShield can implement the shield within hours, well within the CISA’s recommended 24 hour timeframe.

RECON exploits in a nutshell & what RedShield can do

  • The SAP NetWeaver CTC service is unauthenticated by default, this means an attacker can create their own account with any privileges.
    Shields: Block complete access to the CTC service either globally or selectively eg IP, X.509 cert, enforce third party pre-authentication, implement pre-authentication, block partial access to the CTC service either globally or selectively eg IP, X.509 cert
  • The SAP NetWeaver is susceptible to directory traversal
    Shields: Block “..” as part of any REQ
  • SAP NetWeaver forms do not have authorization tokens attached, hence are susceptible to CSRF
    Shields: Add the SameSite cookie flag in.

Act now to remediate the risk of the RECON vulnerability

Book a call with a RedShield Solution Architect to discuss how your organisation can mitigate the risk of RECON exploits. You can also request a free test drive of the shielding technology, which can be deployed urgently to secure your SAP applications.

Book a call with RedShield

  • This field is for validation purposes and should be left unchanged.