Vulnerabilities Reported In Sage X3 Enterprise Management Software

Drop us a message

In the Sage X3 ERP (enterprise resource planning), four security limitations have been uncovered. Among these four security flaws, two can be combined to be a slight detail of an attack sequence—this aids in allowing the advisories to enforce destructive directions and come to the power of vulnerable systems.

On February 3, 2021, the researchers reported these flaws groups after discovering them at Rapid7. With the release of  Sage X3 Version 12 (Syracuse 12.10.2.8),  Sage X3 Version 11 (Syracuse 11.25.2.6),  Sage X3 HR & Payroll Version 9 (Syracuse 9.24.1.3), and Sage X3 Version 9 (Syracuse 9.22.7.2), the company addressed all of the flaws.

On the installation, an attacker can get all the information when CVE-2020-7388 and CVE-2020-7387 flaws are combined. Afterward, in the System Context, this info is used to transfer the commands to the host system. Not only has this allowed the attacker to take complete control of the system for anything, but also he can install malicious software. And create administrator-level users by running arbitrary operating system commands.

The Four Sage X3 Enterprise Management Software Flaws:

  • CVE-2020-7388 (CVSS Score: 10.0) – Spoofing in AdxAdmin Bypasses Unauthorized Command Execution
  • CVE-2020-7387 ( 5.3 Medium) –Sensitive Information exposed to an Unauthorized Actor in AdxAdmin
  • CVE-2020-7389 (5.5 Medium) –Critical Function Missing Authentication in Developer Environment in Syracuse
  • CVE-2020-7390 (4.6 Medium)  (XSS) in Syracuse-Persistent Cross-Site Scripting

Most Vulnerable Sage X3 Flaw:                                      

Among all the flaws, the most critical one is CVE-2020-7388. As Sage X3 Console is available online on the Internet hence, using it, the CVE-2020-7388 makes the best use of an administrative service for Sage ERP arrangement’s remote management. “NT AUTHORITY / SYSTEM”: maliciously crafted requests are sent to run arbitrary commands on the server.

Other Flaws And Their Consequences:

Involved with personal profiles of the users, in the Sage X3 Syracuse web server component, the ‘Edit’ page is unprotected from the CVE-2020-7390, which is a saved XSS attack. During “mouseOver,” this enables the enforcement of arbitrary JavaScript code in the ‘E-mail,’ ‘Last name,’ and ‘First Name’ fields.

On the off chance that fruitful, nonetheless, this unguarded weakness could permit a regular Sage X3 user to be a presently-logged-in administrator and run the privileged capabilities. Also, as a currently logged-in administrator for subsequent impersonation, he can capture administrator session cookies.

When Sage X3 installation paths are exposed to an uncertified user, CVE-2020-7387 is responsible for successful exploitation. On the other hand, in Syracuse development environments, the missing authentication is caused by CVE-2020-7389 flaw. Moreover, by control injection, the code execution can b obtained using this.

Solution For The Critical Flaws In Sage X3 Enterprise Management Software:

After keeping all the facts in mind, the researchers recommended that it is better not to expose the Sage X3 installations on the Internet. However, making it accessible on a secure VPN connection should be considered a solution if it is crucial. If one follows all these techniques, he can effectively eliminate all four critical flaws reported in Sage X3 enterprise management software. We urge users to update their regular patch cycle schedules.


Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.

Want a consultation with the professionals at Rogue Logics, contact us and get a free quote.

Drop us a message

Drop us a message

Get Free Audit Report