If organizations use Sage X3 for resource planning, admins should install the latest version. Otherwise, attackers could attack systems and execute malicious code with system rights.
One is considered to be particularly dangerous as “critical“Classified vulnerability (CVE-2021-7388) with the highest possible CVSS score 10 out of 10. If remote attackers successfully send a prepared request to a listening admin port, they could paralyze the entire authentication. In connection with another vulnerability (CVE-2021-7387), information could be leaked that attackers could use to push malicious code onto systems. Before Rapid7 security researchers warn in a post.
The software manufacturer Sage states to have closed the vulnerabilities in the current X3 versions. Admins should download the issue they are interested in and install it quickly. In addition, the security researchers recommend not to make X3 instances accessible via the Internet. If this cannot be avoided, access should only be possible via a secure VPN connection.
(of)
