Cybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise software.
The exploit leverages a vulnerability, tracked as CVE-2020-6207, that stems from a missing authentication check in SAP Solution Manager (SolMan) version 7.2
SAP SolMan is an application management and administration solution that offers end-to-end application lifecycle management in distributed environments, acting as a centralized hub for implementing and maintaining SAP systems such as ERP, CRM, HCM, SCM, BI, and others.
“A successful exploitation could allow a remote unauthenticated attacker to execute highly privileged administrative tasks in the connected SAP SMD Agents,” researchers from Onapsis said, referring to the Solution Manager Diagnostics toolset used to analyze and monitor SAP systems.
The vulnerability, which has the highest possible CVSS base score of 10.0, was addressed by SAP as part of its March 2020 updates.
Exploitation methods leveraging the flaw were later demonstrated at the Black Hat conference last August by Onasis researchers Pablo Artuso and Yvan Genuer to highlight possible attack techniques that could be…