Security News > 2021 > July > Sage X3 Vulnerabilities Can Pose Serious Risk to Organizations
Researchers at cybersecurity firm Rapid7 have uncovered several vulnerabilities in the Sage X3 enterprise resource planning product, including flaws that can be exploited remotely without authentication to take complete control of a system.
The critical flaw, tracked as CVE-2020-7388, has been described as an unauthenticated remote command execution issue.
The vulnerability is related to a remote administration service and it can be exploited using specially crafted requests to execute commands with elevated privileges.
"When combining CVE-2020-7387 and CVE-2020-7388, an attacker can first learn the installation path of the affected software, then use that information to pass commands to the host system to be run in the SYSTEM context," Rapid7 explained in a blog post.
"This can allow an attacker to run arbitrary operating system commands to create Administrator level users, install malicious software, and otherwise take complete control of the system for any purpose."
The two remaining flaws have been described as authenticated OS command injection and persistent cross-site scripting issues.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-07-22 | CVE-2020-7388 | Authentication Bypass by Spoofing vulnerability in Sage Adxadmin Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. | 9.8 |
| 2021-07-22 | CVE-2020-7387 | Unspecified vulnerability in Sage Adxadmin Sage X3 Installation Pathname Disclosure. | 5.3 |