The RECON Vulnerability and related TTPs

Key takeaways 

  • CVE-2020-6287 is a vulnerability present in SAP NetWeaver software that hinges on a missing authentication check.
  • Successful weaponization of this vulnerability would allow attackers to abuse internet-facing SAP systems in a way that enables them to gain control over critical business processes.
  • Numerous threat actors would be interested in using CVEs that allow RCE such as CVE-2020-6287, including both financially-motivated cybercriminals and state-sponsored threat groups.
  • Blueliv’s dynamic risk score takes into account additional contextual factors and according to Blueliv’s scoring system, CVE-2020-6287 received a score of 8.5/10.



CVE-2020-6287 is a vulnerability present in SAP NetWeaver software. SAP NetWeaver is a technology stack capable of integrating various SAP business applications inside one application. Reported on by researchers at security firm Onapsis, CVE-2020-6287 hinges on a missing authentication check. This vulnerability has already been weaponized. When utilized by attackers, it could allow them to abuse internet-facing and internal SAP systems to create new users with full admin rights, enabling attackers to gain control over critical business processes such as purchasing, banking, PII handling, or even performing operation system command execution.


Blueliv’s Threat Context solution tracks different CVEs and maps them to cybercriminal activities.

 Image 1: Blueliv’s Threat Context solution tracks different CVEs and maps them to cybercriminal activities. 


Using CVE-2020-6287 in an attack  

The weaponization of CVE-2020-6287 aligns with some MITRE ATT&CK patterns.

One such pattern is Exploit Public-Facing Application. Exploit Public-Facing Application (T1190) is a technique that falls under Initial Access and describes when threat actors endeavor to take advantage of internet-facing applications, in this case SAP NetWeaver.

Another ATT&CK pattern related to CVE-2020-6287 is Create Account (T1136). The critical aspect of CVE-2020-6287 is that it allows unauthenticated actors to create admin accounts on the application. When the vulnerability is successfully weaponized, this allows the attacker to execute system commands with the privilege level of the SAP service. Such system commands could result in, for example, the exfiltration of data or the installation of malware.

There are also certain adversary behaviors defenders might expect to see from threat actors preparing to deploy CVE-2020-6287. These techniques can be mapped to the MITRE Pre-ATT&CK framework, and can include conducting scans in order to identify vulnerable endpoints. For example:

  • Research relevant vulnerabilities/CVEs (T1291)
  • Conduct active scanning (T1254)


Blueliv’s Threat Compass module helps defenders identify and monitor threat actors that may be seeking to weaponize different CVEs. Threat Compass monitors mentions of CVEs across a spectrum of sources, including security vendor blogs, code repositories, and cybercriminal forums, among others.

One such resource that Blueliv monitors are paste sites, such as the popular service Pastebin. While paste sites do have legitimate purposes, cybercriminals often use them as well. Using Blueliv’s Threat Context module, pastes referencing CVE-2020-6287 are identified.


Blueliv’s Threat Context includes information on mentions of CVEs across various sources. Blueliv has identified over 100 mentions of CVE-2020-6287; four of those mentions are on Pastebin.

Image 2: Blueliv’s Threat Context includes information on mentions of CVEs across various sources. Blueliv has identified over 100 mentions of CVE-2020-6287; four of those mentions are on Pastebin. 


Upon examination of these pastes, some of them appear to be lists of IP addresses of systems that have been identified as being potentially vulnerable to exploitation via CVE-2020-6287.


A paste by “NORMSHIELD2” bears the header “SAP Netweaver Exploit Success Run / List1 CVE-2020-6287.”

Image 3: A paste by “NORMSHIELD2” bears the header “SAP Netweaver Exploit Success Run / List1  CVE-2020-6287.”


Pastes can provide defenders with lots of useful information regarding threats. Being aware of the existences of pastes mentioning new or critical CVEs can help defenders identify and understand some of the threat actors that may be hoping to utilize a certain vulnerability. As evidenced in Image 3, it may also be useful to monitor paste sites for mentions of corporate IPs and other technological assets; this can be accomplished using Blueliv’s Hacktivism module.


Threat Actors 

Numerous threat actors would be interested in using CVEs that allow RCE such as CVE-2020-6287. While there is currently no publicly reporting indicating that criminal gangs are weaponizing this CVE in their operations, cybercriminals are known to be scanning for this vulnerability and identifying potentially vulnerable systems. Blueliv analysts also uncovered chatter about the vulnerability on the cybercriminal underground, demonstrating that cybercriminals are aware of and are discussing this vulnerability.

A CVE such as CVE-2020-6287 likely appeals strongly to financially motivated threat actors. SAP software is used to manage many of the critical functions of a business. As such, it’s employed by many companies across industries. Gaining access to troves of such sensitive business information would be an appealing prospect to data thieves, ransomware gangs, and various manner of other cybercriminals.

Additionally, CVE-2020-6287 has likely caught the eye of several state-sponsored threat actors, State-sponsored threat groups with a primary function of stealing foreign business information in order to help domestic industries would find the prospect of gathering armfuls of sensitive corporate data tantalizing for their economic espionage efforts. Other state-sponsored groups focused on surveillance may also be interested in CVE-2020-6287.


Threat Score 

CVE-2020-6287 was given the maximum score of 10/10 by the Common Vulnerability Scoring System (CVSS). The NIST has bestowed this max score on several vulnerabilities lately, such as CVE-2020-5902. When evaluating a CVE and its impact on an organization it is important to consider other factors such as whether the vulnerability has been observed being exploited by threat actors in the wild. For this reason, Blueliv generates its own dynamic risk score for CVEs. With these various factors taken into account, Blueliv has given CVE-2020-6287 a score of 8.5. This score is dynamic and it could continue increasing as more context is known.

Threat Context allows defenders to identify mentions of a specific CVE in various code repositories. This information assists defenders in identifying whether there may be a working PoC for a CVE, which in turn can help people better understand what a successful exploitation might look like by allowing defenders to adopt the point of view of an attacker.


Blueliv monitors code repositories for mentions of specific CVEs.

Image 4: Blueliv monitors code repositories for mentions of specific CVEs. 


There are currently three publicly available exploits for CVE-2020-6287:



Solutions like Blueliv’s — which take into account not just the potential havoc that can be wrecked but also conditions that would make the use of such vulnerability more or less likely to be actively used — can help entities deal with vulnerability management and assist in prioritizing resources.



CVE-2020-6287 should be on the radar of everyone managing and protecting SAP systems. While this vulnerability has gained control of SAP systems as the attacker objective, other internet-facing systems and applications are also prime targets for cybercriminals looking to get a foothold into corporate environments. Blueliv’s Threat Context can assist defenders in tackling the latest vulnerabilities by providing a risk score as well as information into available exploits and PoCs; malware, threat actors, and campaigns leveraging a CVE; and mentions across different sources such as “Hacktivism,” “Dark Web,” or “Security News.” Blueliv provides a dynamic scoring system for CVEs. Rather than remaining static, this scoring accurately reflects their growing exploitation/weaponization rather than benchmarking at a point in time.

In general, Blueliv’s Threat Context module will help security practitioners to provide information about the latest campaigns and threat actor activity, together with their related Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs) and targets. Thanks to the list of TTPs related to actors using different CVEs it is possible to prioritize actions to defend from this threat.


The RECON Vulnerability Content Series

Back in July, SAP issued patches for the RECON vulnerability that was identified and disclosed to SAP by the Onapsis Research Labs. Because of the severity and the amount of potential vulnerable Internet exposed SAP systems, the DHS-CISA along with many other global organizations issued CERT Alerts warning organizations of the criticality of the RECON vulnerability. Both SAP and Onapsis urged organizations using SAP Applications to apply the patches immediately. In the days following the release of the patches for RECON, the Onapsis Research Labs and other security/threat intelligence organizations and researchers witnessed and reported rapid threat activity including scanning for vulnerable systems and ultimately weaponized exploit code posted publicly. This content is part of coordinated effort with threat intelligence experts, researchers and organizations to provide further insight, intelligence and actions you should take to ensure your organization is protected from the RECON vulnerability. All the parts can be found here:


The post The RECON Vulnerability and related TTPs appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Xavier Coll. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)