The Cybersecurity and Infrastructure Security Agency (CISA) has learned that an undisclosed vulnerability exists in the JAVA component of the SAP Netweaver platform and is urging organizations to immediately apply patches in response to the vulnerability.
CISA said that on July 13, SAP released a security update to address a critical vulnerability affecting the SAP NetWeaver Application Server Java component LM Configuration Wizard.
An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications, CISA said in an alert.
“Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications,” CISA is strongly recommending that organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems.
Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service, CISA advised.
“Should these options be unavailable or if the actions will take more than 24 hours to complete, CISA strongly recommends closely monitoring your SAP NetWeaver AS for anomalous activity,” CISA said.
CISA said it is unaware of any active exploitation of these vulnerabilities at the time of the report.
“However, because patches have been publicly released, the underlying vulnerabilities could be reverse-engineered to create exploits that target unpatched systems,” CISA said.