"Sage X3 Vulnerabilities Can Pose Serious Risk to Organizations"

Researchers at the cybersecurity firm Rapid7 discovered four vulnerabilities in the Sage X3 enterprise resource planning (ERP) product, posing a significant risk to organizations. One of the flaws has been rated critical, while the rest were rated medium in severity. The critical flaw is described as an unauthenticated, remote command execution issue relating to a remote administration service. Its exploitation involves specially crafted requests to execute commands with elevated privileges. Exploiting the critical flaw requires a piece of information, which can be obtained through one of the medium-severity vulnerabilities discovered to be an installation pathname disclosure issue. The combination of this medium-severity flaw with the critical flaw could allow an attacker to learn the affected software's installation path and then use that information to send commands to the host system to be run in the SYSTEM context. An attacker could run arbitrary operating system commands to create Administrator-level users, install malicious software, and more. Sage X3 is used by thousands of medium and large organizations globally. This article continues to discuss the potential exploitation and impact of the security vulnerabilities found in the Sage X3 ERP product.

Security Week reports "Sage X3 Vulnerabilities Can Pose Serious Risk to Organizations"