Onapsis on Wednesday announced the release of an open source tool that helps organizations determine if their SAP systems are vulnerable to RECON attacks and checks if they may have already been targeted.
RECON is the name assigned to a recently disclosed vulnerability — officially tracked as CVE-2020-6287 — that researchers at Onapsis identified in a component used by many SAP products.
The critical vulnerability can be exploited by a remote, unauthenticated attacker who has access to the targeted system to create a new SAP admin user, allowing them to gain full control of the system.
SAP released patches earlier this month, but Onapsis warned at the time that over 40,000 SAP customers could be affected and the cybersecurity company estimated that at least 2,500 systems in North America, Europe and the APAC region were exposed to attacks from the internet.
Proof-of-concept (PoC) exploit code was released by a researcher shortly after disclosure and at around the same time threat intelligence company Bad Packets reported seeing mass scanning activity targeting the RECON vulnerability.
Onapsis announced on Wednesday that it has released INSTANT RECON, an open source vulnerability assessment and indicator of compromise (IoC) scanner for CVE-2020-6287.
This free tool is designed to conduct a blackbox scan of SAP applications to determine if they are vulnerable, and it performs a basic analysis of SAP application logs in an effort to determine if the RECON vulnerability has already been exploited against the user’s organization.
“If IoCs are identified, it is strongly recommended that you perform an in-depth forensic examination of the evaluated systems (and inter-connected ones), to determine the scope and extent of a potential compromise,” Onapsis explained in the tool’s README file on GitHub.
The company also pointed out, “There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are either not exposed to RECON (and other vulnerabilities) or that the applications have not been compromised. Several conditions can affect the state of the assessed applications and/or log files, resulting in false positives and/or false negatives.”
INSTANT RECON can be found on GitHub, but it has also been made available as a free online tool, with results of the scan being sent to users via email.
If an attacker successfully exploits the flaw, they can read or modify files and database records, which could allow them to steal personal and financial information, change financial details, disrupt operations, execute OS commands, and cover their tracks by modifying or deleting logs.
Related: Industrial Cybersecurity Firm Claroty Releases Open Source Database Parser
Related: Sophos Releases Sandboxie in Open Source
Related: Google Releases Open Source Tool for Finding File Access Vulnerabilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
Latest News
- Russian Millionaire on Trial in Hack, Insider Trade Scheme
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Vulnerabilities in OpenEMR Healthcare Software Expose Patient Data
- Russia-Linked APT29 Uses New Malware in Embassy Attacks
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
