Automated exploit of critical SAP SolMan vulnerability detected in the wild

Proof-of-concept exploit code was published last week.
Written by Charlie Osborne, Contributing Writer

Automated probes for servers containing a severe vulnerability in SAP software have been detected a week after a working exploit was published online. 

The vulnerability, tracked as CVE-2020-6207, is a bug in SAP Solution Manager (SolMan), version 7.2. 

The vulnerability has been awarded a CVSS base score of 10.0 -- the highest severity rating available -- and is caused by a missing authentication check.

SolMan is a centralized application used to manage on-premise, hybrid, and cloud IT systems. While describing the bug at Black Hat USA in August, Onapsis researchers called the application the "technical heart of the SAP landscape."

SolMan's End user Experience Monitoring (EEM) function contained the authentication issue. EEM can be used to deploy scripts in other systems, and as a result, compromising EEM can lead to the hijack of "every system" connected to SolMan via remote code execution (RCE), according to Onapsis

SAP issued a patch for CVE-2020-6207 in March 2020 (SAP Security Note #2890213). However, for any servers left unpatched, there is now a heightened risk of compromise with the public release of a working Proof-of-Concept (PoC) exploit code.

Last week, Dmitry Chastuhin released a PoC for CVE-2020-6207 as a project for educational purposes. The security researcher said the script "check[s] and exploit[s] missing authentication checks in SAP EEM servlet."

Speaking to ZDNet, Onapsis said that "hundreds of requests" have already been detected in the wild, likely from automated tools, and they are probing for SAP systems still vulnerable to the critical vulnerability. The cybersecurity firm believes that the tools were developed quickly after the release of the PoC code. 

The requests are mainly coming from Europe and Asia and a variety of IPs have been documented, so far. 

If enterprise IT staff have applied the patch, there is no need for concern. However, if the security fix is yet to be implemented and SolMan setups are exposed online, the creation of automated exploit tools should spur admins on to resolve the security flaw as quickly as possible. 

"While exploits are released regularly online, this hasn't been the case for SAP vulnerabilities, for which publicly available exploits have been limited," Onapsis says. "The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own."

ZDNet has reached out to SAP and will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards