CVE-2020-6287 SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user..
POTENTIAL IMPACT If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges
of the SAP service user account. Unauthenticated attacker can exploit this vulnerability through an HTTP interface, which is typically exposed to end users and,
in many cases, exposed to the internet.
SAP NetWeaver AS for Java technology supports the SAP Portal component, which may therefore be affected by this vulnerability and is typically exposed to the internet. Passive analysis of internet-facing applications indicates that a number of such applications are connected to the internet and could be affected by this vulnerability. Mitigation Patched versions of the affected components are available at the SAP One Support Launchpad. Account SAP