50,000 SAP customers are currently vulnerable to hacks due to software misconfiguration

The vulnerabilities could be prevented if customers simply followed guidance set by SAP more than five years ago

SAP logo

Up to 50,000 businesses that use SAP software are at risk of becoming victim to a cyber attack due to misconfigured software, according to research.

The new critical exploits discovered by cyber security firm Onapsis on 23 April and dubbed '10KBLAZE' would allow a hacker to abuse a misconfiguration in SAPNetWeaver installations as well as S4/HANA to assume complete control of a system without the need for a valid SAP user ID and password.

The company said that after a 10-year examination of publicly available information, 90% of the 1,000,000 SAP systems that are live right now are running the potentially vulnerable equipment.

SAP released guidance to its customers in 2009 and 2013 which outlined how to properly configure the SAP software to protect against security vulnerabilities. But the latest report shows how many businesses have taken these security warnings with a grain of salt.

"The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems," said Mariano Nunez, CEO and co-founder, Onapsis. "This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

SAP is a global powerhouse in software development and its products are relied upon by many of the world's leading businesses. Up to 90% of the world's top 2,000 businesses use SAP software to some degree in their infrastructure.

SAP customers collectively distribute 78% of the world's food and 82% of the world's medical devices, according to the company's website. Attacks on these companies could prove to be catastrophic to the global supply chain.

"With these exploits, a hacker could steal anything that sits on a company's SAP systems and also modify any information there - so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems," Nunez told Reuters.

"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however, these have been patched by SAP a few years ago," said an SAP spokesperson. "Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

SAP has reported strong growth this year after its Q4 report released in January revealed a 9% revenue growth, primarily attributed to the company's SaaS offerings as legacy products dwindled.

Featured Resources

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

6 ways your business could suffer if you don’t backup Office 365

Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for good

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

10 Feb 2020
Visit/software/linux/354831/microsoft-to-add-defender-antivirus-software-to-linux-ios-and-android
Linux

Microsoft to add Defender antivirus software to Linux, iOS and Android

21 Feb 2020