Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news.

SAP on Tuesday released 16 security notes and two updates to previously released patches as part of its March 2020 Security Patch Day, with three of the new notes rated hot news.

The most important of the notes address critical (hot news) missing authorization checks in Solution Manager. The first of them, CVE-2020-6207, features a CVSS score of 10 and impacts User-Experience Monitoring, while the second, CVE-2020-6198, features a CVSS score of 9.8 and impacts Diagnostics Agent.

Providing central management for SAP and non-SAP systems, Solution Manager requires the installation of Solution Manager Diagnostic Agent (SMDAgent) on each host. The agent is in charge of the management of communications, monitoring and diagnostic feedback.

Due to CVE-2020-6207, when default configurations were used, an unauthenticated remote attacker could execute operating system commands as the SMDAgent on each host. The attacker could then exploit other vulnerabilities to potentially gain access to the full SAP landscape.

By exploiting CVE-2020-6198, an attacker could bypass authentication, meaning that anyone with access to the network could mount an attack, even if they are not a valid Solution Manager user. Due to exploitation not requiring any kind of privileges, the bug is considered critical severity, Onapsis, a firm that specializes in securing Oracle and SAP applications, explains.

Additionally, SAP addressed a path manipulation flaw in NetWeaver UDDI Server (Services Registry). Tracked as CVE-2020-6203, it features a CVSS score of 9.1. This is a directory traversal issue caused by the incorrect validation of the path provided by a user when importing UDDI content via the Services Registry.

A fourth hot news security note was included in this month’s Security Patch Day, a recurring update to the browser control Google Chromium delivered with SAP Business Client. The update brings the browser up to version 80, which was released in early February with patches for 56 vulnerabilities.

SAP also released four high-priority security notes, the most important of which patches a remote code execution vulnerability in Business Objects Business Intelligence Platform (Crystal Reports). Tracked as CVE-2020-6208, the security flaw has a CVSS score of 8.2.

“Possible exploits range from unauthorized execution of arbitrary commands to completely crashing the application. Only the fact that the attacker needs to upload a malicious file to the platform before and that he or she must get another user to open the file prevents the issue from being rated with an even higher CVSS score,” Onapsis says.

Moreover, SAP patched a missing authorization check in Disclosure Management (CVE-2020-6209) and a denial of service (DoS) bug in BusinessObjects Mobile (CVE-2020-6196), both of which have a CVSS score of 7.5.

The fourth high-priority note is an update to a patch released in August 2018, and which addressed an SQL injection in SAP MaxDB/liveCache.

The remaining ten security notes released on this month’s Security Patch Day are medium priority and include three Cross-Site Scripting (XSS) flaws (in Commerce Cloud, NetWeaver, and Fiori Launchpad), missing XML validation (in NetWeaver), missing authorization checks (in ERP and S/4 HANA, and Treasury and Risk Management), and insufficient session expiration (in Enable Now Manager).

SAP also released four other security notes between the second Tuesday of the last month and the second Tuesday of this month, for a total of 22 security notes. One of these patches addresses a high-severity directory traversal in Environment Health and Safety that an attacker could exploit to read and/or overwrite arbitrary files on the remote server, Onapsis says.

Related: SAP Releases 13 Security Notes on February 2020 Patch Day

Related: SAP Releases 6 Security Notes on January 2020 Patch Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet