Cyber Resilience

CVE-2020-6287

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 July 2020

Published
14 July 2020
Modified
31 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-6287 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2020-6287 is a missing authentication check vulnerability, tracked under CWE-306, that affects the LM Configuration Wizard component of SAP NetWeaver AS JAVA in versions 7.30, 7.31, 7.40, and 7.50. The flaw permits configuration tasks to be invoked without any prior authentication, directly exposing the SAP Java system to unauthenticated remote interaction.

An attacker with network access can exploit the issue to execute critical configuration actions, including creation of an administrative user account. This leads to full compromise of confidentiality, integrity, and availability, reflected in the CVSS 3.1 base score of 10.0 with an attack vector of network, low complexity, no privileges, and no user interaction.

SAP security note 2934135, the associated SCN wiki guidance, and Onapsis reporting outline mitigation steps that include applying vendor patches and restricting access to the affected configuration endpoints. Public exploit code has been released via Packet Storm and Full Disclosure mailing lists, confirming the vulnerability's practical exploitability shortly after disclosure.

EU & UK References

Vulnerability details

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including…

more

the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sap
netweaver application server java
7.30, 7.31, 7.40, 7.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements on the LM Configuration Wizard endpoints so that configuration actions (including admin user creation) cannot be invoked without prior authentication.

prevent

Mandates identification and authentication of users before allowing access to the SAP Java system, eliminating the unauthenticated remote interaction that CVE-2020-6287 exploits.

prevent

Restricts network access to the exposed LM Configuration Wizard endpoints, limiting the attack surface for unauthenticated configuration changes described in the CVE.

References