cancel
Showing results for 
Search instead for 
Did you mean: 
Eli_Kreminchuke
F5 Employee
F5 Employee

According to a new research by the cybersecurity firm Onapsis and SAP, they have detected 1,500 attempts to exploit mission critical SAP systems with over 300 successful exploitation between mid-2020 and March 2021.


The research states the “the evidence captured in this report clearly shows that threat actors have the motivation, means and expertise to identify and exploit unprotected mission-critical SAP applications, and are actively doing so. They are directly targeting these applications, including, but not limited to enterprise resource planning (ERP), supply chain management (SCM), human capital management (HCM), product lifecycle management (PLM), customer relationship management (CRM) and others”.


In addition, the research found that the attackers use sophisticated attack vectors chaining several vulnerabilities to compromise the system.

The research found that there are six exploits used by the attackers:


  • CVE-2010-5326 - Remote code execution flaw in SAP NetWeaver Application Server (AS) Java
  • CVE-2016-3976 - Directory traversal vulnerability in SAP NetWeaver AS Java
  • CVE-2016-9563 - XML External Entity (XXE) expansion vulnerability in BC-BMT-BPM-DSK component of SAP NetWeaver AS Java
  • CVE-2018-2380 - Directory traversal vulnerability in Internet Sales component in SAP CRM
  • CVE-2020-6207 - Missing authentication check in SAP Solution Manager
  • CVE-2020-6287 - RECON (aka Remotely Exploitable Code On NetWeaver) flaw in LM Configuration Wizard component


0151T0000040Q2iQAE.jpg

Figure 1:  Exploits used by attackers as illustrated in Onapsis’s report



Mitigation with Advanced WAF


Advanced WAF customers under any supported version are already protected against those vulnerabilities as exploitation attempts will be detected by a dedicated signatures. The signatures could be found under the " Path Traversal”, “Authentication/Authorization Attacks”, “Other Application Attacks” and " Server Side Code Injection" signature sets.


0151T0000040Q2nQAE.jpg

Figure 2: CVE-2010-5326 Exploit attempt blocked by signature id 200013037


0151T0000040Q2sQAE.jpg

Figure 3: CVE-2016-3976 Exploit attempt blocked by signature id 200007040

0151T0000040Q2xQAE.jpg

Figure 4: CVE-2016-9563 Exploit attempt blocked by signature id 200018030



0151T0000040Q2oQAE.jpg

Figure 5: CVE-2018-2380 Exploit attempt blocked by signature id 200007039


0151T0000040Q2jQAE.jpg

Figure 6: CVE-2020-6207 Exploit attempt blocked by signature id 200104675


0151T0000040Q32QAE.jpg

Figure 7: CVE-2020-6207 Exploit attempt blocked by signature id 200104676


0151T0000040Q37QAE.jpg

Figure 8: CVE-2020-6287 Exploit attempt blocked by signature id 200013021


Mitigating with Threat Campaigns


Advanced WAF customers with Threat Campaign license could detect and block campaigns targeting those vulnerabilities with the following Threat Campaigns:


  • SAP NetWeaver BC-BMT-BPM-DSK XXE - CVE-2016-9563
  • SAP Solution Manager Missing Authentication Remote Code Execution - CVE-2020-6207
  • SAP NetWeaver Log Injection Remote Code Execution - CVE-2018-2380
  • SAP NetWeaver CrashFileDownloadServlet Arbitrary File Read - CVE-2016-3976
  • SAP RECON Remote Code Execution - CVE-2020-6287
  • SAP ConfigServlet Remote Code Execution - CVE-2010-5326


Additional References

https://onapsis.com/active-cyberattacks-mission-critical-sap-applications




Version history
Last update:
‎08-Apr-2021 08:46
Updated by:
Contributors