Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Open Source Tool Checks SAP Systems for RECON Attack IOCs

Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.

Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.

RECON is the name assigned to a recently disclosed vulnerability — officially tracked as CVE-2020-6287 — that researchers at Onapsis identified in a component used by many SAP products.

The critical vulnerability can be exploited by a remote, unauthenticated attacker who has access to the targeted system to create a new SAP admin user, allowing them to gain full control of the system.

SAP released patches earlier this month, but Onapsis warned at the time that over 40,000 SAP customers could be affected and the cybersecurity company estimated that at least 2,500 systems in North America, Europe and the APAC region were exposed to attacks from the internet.

Proof-of-concept (PoC) exploit code was released by a researcher shortly after disclosure and at around the same time threat intelligence company Bad Packets reported seeing mass scanning activity targeting the RECON vulnerability.

Onapsis announced on Wednesday that it has released INSTANT RECON, an open source vulnerability assessment and indicator of compromise (IoC) scanner for CVE-2020-6287.

This free tool is designed to conduct a blackbox scan of SAP applications to determine if they are vulnerable, and it performs a basic analysis of SAP application logs in an effort to determine if the RECON vulnerability has already been exploited against the user’s organization.

“If IoCs are identified, it is strongly recommended that you perform an in-depth forensic examination of the evaluated systems (and inter-connected ones), to determine the scope and extent of a potential compromise,” Onapsis explained in the tool’s README file on GitHub.

The company also pointed out, “There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are either not exposed to RECON (and other vulnerabilities) or that the applications have not been compromised. Several conditions can affect the state of the assessed applications and/or log files, resulting in false positives and/or false negatives.”

INSTANT RECON can be found on GitHub, but it has also been made available as a free online tool, with results of the scan being sent to users via email.

If an attacker successfully exploits the flaw, they can read or modify files and database records, which could allow them to steal personal and financial information, change financial details, disrupt operations, execute OS commands, and cover their tracks by modifying or deleting logs.

Related: Industrial Cybersecurity Firm Claroty Releases Open Source Database Parser

Related: Sophos Releases Sandboxie in Open Source

Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.