The vulnerability is introduced due to the lack of authentication in a web component of the SAP NetWeaver AS for Java allowing for several high-privileged activities on the SAP system. If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.
SAP NetWeaver AS JAVA
Refer to SAP advisory for the complete list of affected products and it’s respective patches.