CVE-2020-6286

MEDIUM EXPLOITED

SAP NetWeaver AS JAVA <7.50 - Path Traversal

Title source: llm

Exploitation Summary

CVE-2020-6286 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including murataydemir.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2020-6286, demonstrating a directory traversal vulnerability in SAP NetWeaver AS JAVA (LM Configuration Wizard). The exploit leverages insufficient input validation in the `sessionID` parameter of a SOAP request to traverse directories and download arbitrary files.

Description

The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.

Exploits (2)

nomisec WORKING POC 6 stars

by murataydemir · remote

https://github.com/murataydemir/CVE-2020-6286

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2020-6286, demonstrating a directory traversal vulnerability in SAP NetWeaver AS JAVA (LM Configuration Wizard). The exploit leverages insufficient input validation in the `sessionID` parameter of a SOAP request to traverse directories and download arbitrary files.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50

No auth needed

Prerequisites: Network access to the vulnerable SAP NetWeaver AS JAVA instance

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/chipik/SAP_RECON

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-6286 and CVE-2020-6287, targeting SAP NetWeaver AS Java. It includes detection for missing authorization checks and exploits directory traversal to download ZIP files, as well as user creation with varying privileges.

Classification

Working Poc 100%

Attack Type

Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: SAP NetWeaver AS Java

No auth needed

Prerequisites: Network access to SAP NetWeaver AS Java · SAP LM Configuration Wizard exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 13, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Permissions Required, Vendor Advisory x_refsource_misc

https://launchpad.support.sap.com/#/notes/2934135

Scores

CVSS v3 5.3

EPSS 0.2831

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2026-06-12

CWE

CWE-22

Status published

Products (4)

sap/netweaver_application_server_java 7.30

sap/netweaver_application_server_java 7.31

sap/netweaver_application_server_java 7.40

sap/netweaver_application_server_java 7.50

Published Jul 14, 2020

Tracked Since Feb 18, 2026