Back to KEVs

CVE-2020-6207

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 08, 2020
Published Date
March 10, 2020
Last Updated
January 29, 2025
Vendor
SAP SE
Product
SAP Solution Manager (User Experience Monitoring)
Description
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

CVSS Scores

CVSS v3.0

10.0 - CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2021-01-14 10:49:40 UTC) Source

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 https://launchpad.support.sap.com/#/notes/2890213 http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html http://seclists.org/fulldisclosure/2021/Apr/4 http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2021/Jun/34 http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/sap/cve_2020_6207_solman_rs.rb 2025-04-29 11:01:25 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-6207.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

cve_2020_6207_solman_rs

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-6207

chipik/SAP_EEM_CVE-2020-6207

Type: github • Created: 2021-01-14 10:49:40 UTC • Stars: 81

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)