Skip to main content

SAP software flaw puts thousands of companies at risk

Image Credit: SAP (Image credit: Image Credit: SAP)
Audio player loading…

Security researchers have discovered new ways to exploit vulnerabilities in SAP software which could leave up to 50,000 companies, that haven't properly protected their systems, at greater risk of being hacked.

The German software giant SAP previously released guidance on how to correctly configure the security settings of its software back in 2009 and 2013. However, data compiled by the security firm Onapsis has revealed that 90 percent of the affected SAP systems have not been properly protected.

The firm's chief executive Mariano Nunez provided further insight into the risk organizations face by not configuring the security settings of their SAP software correctly, saying:

“Basically, a company can be brought to a halt in a matter of seconds. With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP responded to Onapsis' findings by saying that “SAP always strongly recommends to install security fixes as they are released.”

SAP software flaw

SAP software is currently used by more than 90 percent of the world's top 2,000 companies to handle everything from employee payrolls to product distribution and industrial processes.

According to security experts, an attack on those systems could have huge implications both for the victim organization as well as the wider supply chain. For instance, SAP customers collectively distribute 78 percent of the world's food and 82 percent of global medical devices. 

Mathieu Geli, security consultant at Sogeti, was one of the researchers who developed the exploits released online last month and according to him, the issue concerns the way SAP applications talk to one another inside a company. If a company's security settings are not configured correctly, a hacker could trick an application into thinking they are another SAP product to gain full access without having to login.

Onapsis' researchers have named the exploits “10KBLAZE” because of the threat they pose to “business-critical applications”. Luckily though, the company has said that it will share its ability to detect the vulnerabilities with other security vendors to help secure all SAP users against any potential attacks.

Via Reuters

After getting his start at ITProPortal while living in South Korea, Anthony now writes about cybersecurity, web hosting, cloud services, VPNs and software for TechRadar Pro. In addition to writing the news, he also edits and uploads reviews and features and tests numerous VPNs from his home in Houston, Texas. Recently, Anthony has taken a closer look at standing desks, office chairs and all sorts of other work from home essentials. When not working, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.