CrowdSec
7/10CrowdSec Score

SAP Solution Manager - Open Redirect (CVE-2020-26836)

Published on09-12-2020
First seen on14-01-2026
Public ExploitCVSS 6.1/10SAP SE - SAP Solution Manager

34Exploiting IPs reported

SAP Solution Manager (Trace Analysis), version - 720, allows for misuse of a parameter in the application URL leading to Open Redirect vulnerability, an attacker can enter a link to malicious site which could trick the user to enter credentials or download malicious software, as a parameter in the application URL and share it with the end user who could potentially become a victim of the attack.

CrowdSec analysis

CVE-2020-26836 is an open redirect vulnerability in SAP Solution Manager (Trace Analysis) version 720, where attackers can manipulate application URLs to redirect users to malicious sites. This flaw can be exploited to trick users into disclosing credentials or downloading harmful software, making it a potential vector for phishing and social engineering attacks.

CrowdSec has been tracking this vulnerability and its exploits since 7th of January 2026.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2020-26836 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2020-26836 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2020-26836 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the /sap/public/bc/icf/logoff endpoint by supplying a crafted redirecturl parameter to redirect users to malicious external sites. This open redirect vulnerability is commonly targeted to facilitate phishing or credential theft.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References