Experts warn of massive internet scans for SAP systems affected by RECON Vulnerability

Pierluigi Paganini July 18, 2020

Hackers have been scanning the Internet for SAP systems affected by RECON vulnerability, researchers from Bad Packets warn.

Researchers from Bad Packets reported that threat actors have been scanning the Internet for SAP systems affected by RECON vulnerability, , tracked as CVE-2020-6287.

Immediately after a researcher released a proof-of-concept (PoC) exploit for the RECON vulnerability, hackers started the scanning activity.

Quick and dirty (sorry i did it during lunch time) PoC for SAP RECON vulnerability (CVE-2020-6287, CVE-2020-6286).https://t.co/i2pImKwmEU
— Dmitry Chastuhin (@_chipik) July 15, 2020

Last week, SAP released security patches to address the RECON (Remotely Exploitable Code On NetWeaver) flaw, warning that it could be exploited by attackers to take over corporate servers.

The flaw was discovered by security firm Onapsis, according to the experts, the RECON vulnerability allows an attacker to create an SAP user account with maximum privileges on SAP applications exposed online, this means that he will take full control over the compromised SAP systems.

The RECON issue resides in the SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30 to 7.50, which is a core component in most SAP environments.

The component is used in several popular SAP products, including SAP S/4HANA, SAP SCM, SAP CRM, SAP CRM, SAP Enterprise Portal, and SAP Solution Manager (SolMan).

RECON is caused by the lack of authentication in an SAP NetWeaver AS for Java web component.

Onapsis experts warned that 40,000 SAP customers could be impacted and estimated that there were at least 2,500 vulnerable systems exposed online.

The PoC exploit for the RECON flaw cannot be used to create an admin account, but exploits the flaw vulnerabilities to check if a SAP server is vulnerable to attacks and to download any ZIP archive from the vulnerable server.

Researchers from threat intelligence firm Bad Packets observed “mass scanning activity” that started since Wednesday, July 15, at around 6 PM UTC.

https://twitter.com/bad_packets/status/1283823441833934848

Unfortunately, it’s not possible to determine if the scans are conducted by security experts searching for vulnerable SAP installs of by bad actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to patch their internet-facing systems as soon as possible. If not possible, organizations could apply mitigations proposed by SAP to its customers

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Recon vulnerability)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini August 26, 2025

Auchan discloses data breach: data of hundreds of thousands of customers exposed

Pierluigi Paganini August 25, 2025