The July patch bundle from SAP includes a critical patch to resolve a vulnerability in the NetWeaver application server which could allow an unauthenticated attacker to gain unrestricted access to the SAP environment and database.
According to the description for the vulnerability recorded as CVE CVE-2020-6287 :
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
The vulnerability can be attacked via the HTTP interface which is often exposed to users and open to the Internet. The problem lies in a default component which is part of many SAP products and the vulnerability has been given a maximum CVSS rating of 10 (Critical).