Vulnerability in Sap Se Netweaver As Java (Lm Configuration Wizard)
CVE-2020-6287
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions a…
EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Sap Se Netweaver As Java (Lm Configuration Wizard) — versions < 7.30, < 7.31, < 7.40
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- wiki.scn.sap.com/wiki/pages/viewpage.action (x_refsource_MISC)
- launchpad.support.sap.com/ (x_refsource_MISC)
- www.onapsis.com/recon-sap-cyber-security-vulnerability (x_refsource_MISC)
- 20210405 Onapsis Security Advisory 2021-0003: [CVE-2020-6287] - [SAP RECON] SAP JAVA: Unauthenticated execution of configuration tasks (mailing-list, x_refsource_FULLDISC)
- packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-6287?
- CVE-2020-6287 is a critical-severity vulnerability in Sap Se Netweaver As Java (Lm Configuration Wizard). CVSS score: 10.0/10. Published 2020-07-14.
- How severe is CVE-2020-6287?
- Critical severity. CVSS v3 base score is 10.0 out of 10.
- Is CVE-2020-6287 known to be exploited?
- Yes. CVE-2020-6287 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 69 public proof-of-concept repositories are indexed.