The flaw is in a core component that exists by default in most SAP deployments and can be exploited remotely without the need of a username and password. The vulnerability is tracked as CVE-2020-6287 and is in the SAP NetWeaver Application Server Java. Affected SAP applications include SAP S/4HANA Java, SAP Enterprise Resource Planning (ERP), SAP Supply Chain Management (SCM), SAP CRM (Java Stack), SAP Enterprise Portal, SAP HR Portal and SAP Solution Manager (SolMan) 7.2.”]