CVE-2020-6287
CRITICALCISA KEVEPSS 100th pctlDescription
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
SAP NetWeaver Missing Authentication for Critical Function Vulnerability
SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.
Apply updates per vendor instructions.
Remediation due: 2022-05-03
References
- http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html
- http://seclists.org/fulldisclosure/2021/Apr/6
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6287
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-31.