Overview
SAP Solution Manager 7.2 contains a critical remote command execution vulnerability caused by missing authentication checks in the SAP EEM (Enterprise Event Management) servlet. Attackers can execute arbitrary OS commands and perform Server-Side Request Forgery (SSRF) attacks by sending specially crafted SOAP requests without any authentication. The vulnerability was disclosed on March 10, 2020. CISA has identified CVE-2020-6207 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The SAP EEM servlet in Solution Manager 7.2 fails to properly validate and authenticate incoming SOAP requests. The vulnerable endpoint accepts unauthenticated SOAP messages that can be weaponized to execute arbitrary operating system commands on the underlying server. Additionally, the same authentication bypass can be leveraged to perform SSRF attacks, allowing attackers to make requests to internal systems and services from the perspective of the vulnerable SAP application.
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) , CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-918 (Server-Side Request Forgery (SSRF)) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An attacker without authentication can gain complete control over the SAP Solution Manager server by executing arbitrary operating system commands with the privileges of the application server process. This allows for data exfiltration, system compromise, lateral movement within the network, and disruption of services. The SSRF capability enables attackers to access and attack internal systems that are only reachable from the compromised server, potentially compromising other SAP systems and critical infrastructure.
Mitigation and workarounds
SAP recommends upgrading to SAP Solution Manager 7.2 SP09 Patch 04 or later. Apply the security patch provided in SAP Security Note 2904267. Ensure all supporting components are updated to compatible versions. The following versions include the necessary fixes: SAP Solution Manager 7.2 SP09 Patch 04, SAP Solution Manager 7.2 SP10 and later.
As temporary workarounds: implement network-level access controls to restrict access to the sap solution manager instance. use a web application firewall (waf) or reverse proxy to block unauthenticated soap requests to the eem servlet endpoint (typically /service/sap/bc/soap endpoints).; disable or restrict the eem servlet if it is not actively being used in the environment., and isolate the sap solution manager instance on a restricted network segment and limit outbound connectivity to prevent ssrf attacks from reaching internal systems..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
