[ERPSCAN-15-023] SAP Afaria – Authorization bypass, Insecure signature

Application: SAP Afaria 7.0.6001.5
Vendor URL: http://www.sap.com
Bugs: Authorization bypass
Reported: 12.03.2015
Vendor response: 13.03.2015
Date of Public Advisory: 12.05.2015
Reference: SAP Security Note 2134905
Authors: Dmitry Chastukhin (ERPScan)

An anonymous attacker can spoof a request and send it to a mobile device managed by SAP Afaria.

Business Risk
An attacker can use authorization bypass to wipe or lock mobile devices remotely. This can lead to sabotage and other attacks.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: