Critical vulnerability in SAP Solution Manager puts thousands of organizations at risk

Relevant cybercriminal groups have been performing massive online scans to detect servers affected by a critical SAP vulnerability for which a fully functional exploit already exists. The flaw was tracked as CVE-2020-6207, and is a security error in SAP Solution Manager (SolMan) v7.2.

This flaw received a score of 10/10 on the Common Vulnerability Scoring System (CVSS) scale and exists due to the lack of an authentication check. On the vulnerable solution, SolMan is a centralized application for managing cloud computing systems.

La imagen tiene un atributo ALT vacío; su nombre de archivo es sap21012021.jpg

The authentication problem lies in the End User Experience Monitoring (EEM) feature, which can be abused to deploy scripts on other systems and lead to hijacking of any tool connected to SolMan by remote code execution. Although SAP released a patch to fix this flaw, the risk increased with the release of a proof of concept (PoC) exploit.

A few days ago researcher Dmitry Chastuhin launched the PoC as part of a research project. Chastuhin mentions that the script verifies and exploits missing authentication checks in SAP EEM and a number of exploit cases and requests have already been detected in real-world scenarios.  

These requests come from Europe and Asia, originating from a large number of IP addresses. The researcher adds that organizations that have already installed the security patch are protected from exploitation; however, the lack of updates on vulnerable systems exposes organizations to exploiting the flaw.

“The availability of a public exploit greatly increases the chances of a cyberattack, giving less knowledgeable hackers the ability to abuse a security flaw that could only be exploited by advanced hackers under other conditions,” the researcher adds. System administrators using vulnerable deployments are encouraged to install available updates as soon as possible to mitigate the risk of exploitation.

Members of the cybersecurity community have tried to reach the company, although SAP has not added further details on these reports.

For further reports on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses fell free to visit the International Institute of Cyber Security (IICS) websites, as well as the official platforms of technology companies.