SEC Consult Vulnerability Lab discovered a critical code injection vulnerability (CVE-2020-6262) with a CVSSv3 Score of 9.9 in SAP® Service Data Download (a part of the SAP® Solution Manager Plugin ST-PI).

This vulnerability affects all SAP® ABAP servers that use the below mentioned components. It can be exploited over the network and allows an authenticated attacker to inject code into a standard ABAP application to control the behavior of the vulnerable component and thereby the entire SAP® Application Server ABAP.

The impact is of highest criticality as the vulnerability itself enables e.g.:

  • Unauthorized execution of arbitrary commands
  • Disclosure of sensitive information
  • Denial of Service (DoS) attacks

Considering the impact, we advice all customers to implement note 2835979 as soon as possible.

As part of the SEC Consult responsible disclosure process this vulnerability was reported to SAP® by SEC Consult’s researchers (Alexander Meier and Fabian Hagg) immediately after discovery on 20th April 2020. Further detailed information will be published three months after patch release in accordance with SAP’s responsible disclosure guidelines.

We want to express our thanks to the folks at SAP®, especially the SAP® Product Security Response Team. They reacted fast for every inquiry and released a timely patch on the 12th May 2020.

TitleCode Injection Schwachstelle in Service Data Download
TypeCode Injection/Remote Code Execution
CVSS v3 Score9.9
Affected ComponentSAP® Solution Tools Plug-In ST-PI
Affected ProductSAP® Application Server ABAP, ST-PI Versionen-  2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740
Available Patches (Security Note 2835979)
Release date patch2020-05-12
Planned release date for detailed advisory2020-08-12

Want to know more how to secure your organization? Contact Us