CVE-2020-6207

CRITICAL KEV NUCLEI

SAP Solution Manager 7.2 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-6207 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including chipik, Yvan Genuer, Pablo Artuso, Dmitry Chastuhin, Vladimir Ivanov, including a Metasploit module lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2020-6207, an unauthenticated RCE vulnerability in SAP Solution Manager's EEM Admin Service. It includes step-by-step exploitation details, SOAP request examples, and root cause analysis of the file upload restrictions.

Description

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

Exploits (4)

nomisec WRITEUP 81 stars
by chipik · remote
https://github.com/chipik/SAP_EEM_CVE-2020-6207

This repository provides a detailed technical analysis of CVE-2020-6207, an unauthenticated RCE vulnerability in SAP Solution Manager's EEM Admin Service. It includes step-by-step exploitation details, SOAP request examples, and root cause analysis of the file upload restrictions.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAP Solution Manager 7.2
No auth needed
Prerequisites: Network access to SAP Solution Manager's EEM Admin Service · Presence of a connected SMD agent
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb

This Metasploit module exploits CVE-2020-6207, a missing authentication check in SAP Solution Manager 7.2's EEM servlet. It allows unauthenticated attackers to execute arbitrary commands (RCE) or perform SSRF attacks via crafted SOAP requests.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAP Solution Manager 7.2
No auth needed
Prerequisites: Network access to SAP Solution Manager EEM servlet
devstral-2 · analyzed Mar 05, 2026 Full analysis →
metasploit WORKING POC
by Yvan Genuer, Pablo Artuso, Dmitry Chastuhin, Vladimir Ivanov · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb

This Metasploit module exploits CVE-2020-6207, an unauthenticated remote command execution vulnerability in SAP Solution Manager 7.2. It leverages missing authentication checks in the EEM servlet to execute OS commands, perform SSRF, and retrieve credentials from connected SMDAgents.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAP Solution Manager 7.2
No auth needed
Prerequisites: Network access to SAP Solution Manager on port 50000 · Connected SMDAgent with Java 1.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Yvan Genuer, Pablo Artuso, Dmitry Chastuhin, Vladimir Ivanov · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/sap/cve_2020_6207_solman_rs.rb

This Metasploit module exploits CVE-2020-6207, an unauthenticated remote command execution vulnerability in SAP Solution Manager 7.2 via SOAP requests to the EemAdminService. It leverages missing authentication checks to execute OS commands on connected SMDAgents.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SAP Solution Manager 7.2
No auth needed
Prerequisites: Network access to SAP Solution Manager on port 50000 · Connected SMDAgent with Java 1.8
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SAP Solution Manager 7.2 - Remote Command Execution
CRITICALby _generic_human_

References (8)

Core 8
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2890213
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Apr/4
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Jun/34

Scores

CVSS v3 9.8
EPSS 0.9415
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-04-08
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-27357
CWE
CWE-306
Status published
Products (1)
sap/solution_manager 7.20
Published Mar 10, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026