VDB
CVE-2020-6207
CVE-2020-6207
PUBLISHED
KEV
CVSS 10 CRITICAL
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
EPSS 94.15% · 99.9th percentile
Risk Scores
CVSS 3.0
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
94.15%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| sap | solution_manager | 7.20 |
| SAP SE | SAP Solution Manager (User Experience Monitoring) | < 7.2 |
Timeline
- CVE Published
- Jan 25, 2021 PoC Published
- Mar 25, 2021 PoC Published
- Mar 26, 2021 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 15, 2021 EPSS Score
- Jun 16, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Nov 3, 2021 CISA KEV Added
- Nov 8, 2021 PoC Published
- Nov 20, 2021 PoC Published
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 url
- https://launchpad.support.sap.com/#/notes/2890213 url
- http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html url
- 20210405 Onapsis Security Advisory 2021-0001: [CVE-2020-6207] - Unauthenticated RCE in SAP all SMD Agents connected to SAP SolMan mailing-list
- http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.html url
- 20210614 Onapsis Security Advisory 2021-0014: Missing authorization check in SAP Solution Manager LM-SERVICE Component SP 11 PL 2 mailing-list
- http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.html url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6207 url
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700 advisory
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2020-6207 advisory