CVE-2020-6207
Published: 10 March 2020
Summary
CVE-2020-6207 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sap Solution Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
SAP Solution Manager version 7.2 in the User Experience Monitoring component is affected by a missing authentication check vulnerability, tracked as CVE-2020-6207 and CWE-306. The flaw causes a service to skip authentication entirely, enabling unauthenticated access that results in full compromise of all connected SMDAgents. It carries a CVSS 3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can exploit the issue to achieve complete control over every SMDAgent linked to the Solution Manager instance, with impacts spanning confidentiality, integrity, and availability of the monitored environment.
Public exploit code and technical details for this vulnerability have been disclosed in multiple outlets, including Packet Storm and Full Disclosure mailing list postings from 2021 that demonstrate remote command execution and missing authorization vectors against the affected SAP components.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-27357
Vulnerability details
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements on the exposed UX Monitoring service before any access or commands are permitted to SMDAgents.
Requires the Solution Manager service itself to perform identification and authentication, eliminating the missing-authentication flaw described in CWE-306.
Mandates authentication and authorization for all remote connections to the Solution Manager, blocking unauthenticated network exploitation of the service.