CVE-2020-6207

Known Exploited Public Exploit

Description

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

References

Link	Tags
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305	vendor advisory broken link
https://launchpad.support.sap.com/#/notes/2890213	vendor advisory permissions required
http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html	third party advisory vdb entry exploit
http://seclists.org/fulldisclosure/2021/Apr/4	third party advisory mailing list
http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html	third party advisory vdb entry exploit
http://seclists.org/fulldisclosure/2021/Jun/34	third party advisory mailing list
http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2020-6207?: CVE-2020-6207 has been scored as a critical severity vulnerability.
How to fix CVE-2020-6207?: To fix CVE-2020-6207, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-6207 being actively exploited in the wild?: It is confirmed that CVE-2020-6207 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-6207?: CVE-2020-6207 affects SAP SE SAP Solution Manager (User Experience Monitoring).

Description

Category

CWE-306 – Missing Authentication for Critical Function

References

Frequently Asked Questions