Connect with us

Hi, what are you looking for?


Malware & Threats

Scanning Activity Detected After Release of Exploit for Critical SAP SolMan Flaw

A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020.

A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020.

Solution Manager (SolMan) was designed to provide central management for SAP and non-SAP systems and requires for Solution Manager Diagnostic Agent (SMDAgent) to be installed on each host, for the management of communications, monitoring, and diagnostics.

Tracked as CVE-2020-6207 and featuring a CVSS score of 10, the security flaw is a missing authorization check in the EEM Manager component of SolMan, which could allow an unauthenticated, remote attacker to execute operating system commands on hosts, as the SMDAgent.

The researcher who published the fully-functional exploit for the bug on GitHub claims the project is for educational purposes only, and that it “cannot be used for law violation or personal gain.”

Following the publication of the exploit, however, security researchers at Onapsis, a firm that specializes in securing SAP applications, have observed scanning in the wild for vulnerable systems.

It’s not common for proof-of-concept (PoC) exploits targeting SAP vulnerabilities to be made public, Onapsis says, adding that the availability of the code will likely result in an increase in exploitation attempts from both SAP-expert adversaries, and script kiddies.

“A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance,” Onapsis notes.

Advertisement. Scroll to continue reading.

Being an administrative system, SolMan “has connections and trust relationships with every SAP system throughout the landscape,” and an attacker able to compromise it would essentially gain access to any business system connected to it, the security firm warns.

Attackers looking to exploit the vulnerability need access to the SolMan HTTP(s) port. The remote attacker would gain control of the affected system with admin privileges, enabling them to conduct a wide range of activities.

“An attacker will need network visibility to SolMan as this system is not frequently exposed to the Internet. So for most companies, risk of this exploit should be mostly limited to internal attacks (unless external attackers have already compromised another system and are inside the network,” Onapsis explains.

Organizations that have already applied the available patches are not exposed to attacks leveraging this or other similar exploits. According to Onapsis, however, SolMan is often overlooked when it comes to patching, mainly because it does not hold any business information.

Related: Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

Related: SAP Patches Serious Code Injection, DoS Vulnerabilities

Related: SAP Releases Four ‘Hot News’ Notes on December 2020 Patch Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.