Security News > 2020 > July > Critical SAP Bug Allows Full Enterprise System Takeover
A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers.
The bug has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted.
Put another way, an unauthenticated attacker could create a new SAP user with maximum privileges, bypassing all access and authorization controls and gaining full control of SAP systems, Nunez said.
"With SAP NetWeaver Java being a fundamental base layer for several SAP products, the specific impact would vary depending on the affected system," according to Onapsis, in a technical analysis released on Tuesday.
He added, "For SAP customers, critical vulnerabilities such as RECON highlight the need to protect mission-critical applications, by extending existing cybersecurity and compliance programs to ensure these applications are no longer in a blind spot.
News URL
https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/
Related news
- New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework (source)
- SAP fixes critical Netweaver flaw exploited in attacks (source)
- Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324) (source)
- ⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More (source)
- Week in review: Critical SAP NetWeaver flaw exploited, RSAC 2025 Conference (source)
- China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide (source)