50,000 SAP customers are currently vulnerable to hacks due to software misconfiguration

The vulnerabilities could be prevented if customers simply followed guidance set by SAP more than five years ago

Blue SAP sign

Up to 50,000 businesses that use SAP software are at risk of becoming victim to a cyber attack due to misconfigured software, according to research.

The new critical exploits discovered by cyber security firm Onapsis on 23 April and dubbed '10KBLAZE' would allow a hacker to abuse a misconfiguration in SAPNetWeaver installations as well as S4/HANA to assume complete control of a system without the need for a valid SAP user ID and password.

The company said that after a 10-year examination of publicly available information, 90% of the 1,000,000 SAP systems that are live right now are running the potentially vulnerable equipment.

SAP released guidance to its customers in 2009 and 2013 which outlined how to properly configure the SAP software to protect against security vulnerabilities. But the latest report shows how many businesses have taken these security warnings with a grain of salt.

"The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems," said Mariano Nunez, CEO and co-founder, Onapsis. "This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes."

SAP is a global powerhouse in software development and its products are relied upon by many of the world's leading businesses. Up to 90% of the world's top 2,000 businesses use SAP software to some degree in their infrastructure.

SAP customers collectively distribute 78% of the world's food and 82% of the world's medical devices, according to the company's website. Attacks on these companies could prove to be catastrophic to the global supply chain.

"With these exploits, a hacker could steal anything that sits on a company's SAP systems and also modify any information there - so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems," Nunez told Reuters.

"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however, these have been patched by SAP a few years ago," said an SAP spokesperson. "Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

SAP has reported strong growth this year after its Q4 report released in January revealed a 9% revenue growth, primarily attributed to the company's SaaS offerings as legacy products dwindled.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
US fuel pipeline hackers reveal their motive
ransomware

US fuel pipeline hackers reveal their motive

11 May 2021
Apple's AirTag tracker has already been hacked
hacking

Apple's AirTag tracker has already been hacked

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021