50,000 SAP customers are currently vulnerable to hacks due to software misconfiguration

The vulnerabilities could be prevented if customers simply followed guidance set by SAP more than five years ago

SAP logo

Up to 50,000 businesses that use SAP software are at risk of becoming victim to a cyber attack due to misconfigured software, according to research.

The new critical exploits discovered by cyber security firm Onapsis on 23 April and dubbed '10KBLAZE' would allow a hacker to abuse a misconfiguration in SAPNetWeaver installations as well as S4/HANA to assume complete control of a system without the need for a valid SAP user ID and password.

The company said that after a 10-year examination of publicly available information, 90% of the 1,000,000 SAP systems that are live right now are running the potentially vulnerable equipment.

SAP released guidance to its customers in 2009 and 2013 which outlined how to properly configure the SAP software to protect against security vulnerabilities. But the latest report shows how many businesses have taken these security warnings with a grain of salt.

"The onus is on service providers and customers to implement, enforce and monitor tighter security controls on the systems," said Mariano Nunez, CEO and co-founder, Onapsis. "This can be very challenging and take significant resources, but the stakes are simply too high not to make the suggested configuration changes."

SAP is a global powerhouse in software development and its products are relied upon by many of the world's leading businesses. Up to 90% of the world's top 2,000 businesses use SAP software to some degree in their infrastructure.

SAP customers collectively distribute 78% of the world's food and 82% of the world's medical devices, according to the company's website. Attacks on these companies could prove to be catastrophic to the global supply chain.

"With these exploits, a hacker could steal anything that sits on a company's SAP systems and also modify any information there - so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems," Nunez told Reuters.

"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however, these have been patched by SAP a few years ago," said an SAP spokesperson. "Security notes 821875,1408081 and 1421005 released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape."

SAP has reported strong growth this year after its Q4 report released in January revealed a 9% revenue growth, primarily attributed to the company's SaaS offerings as legacy products dwindled.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

DocuShare flaws could lead to data leakage unless you install these patches
vulnerability

DocuShare flaws could lead to data leakage unless you install these patches

4 Dec 2020
US department store Kmart hit by Egregor ransomware
ransomware

US department store Kmart hit by Egregor ransomware

4 Dec 2020
Businesses told to guard against PowerPepper Windows exploit
malware

Businesses told to guard against PowerPepper Windows exploit

4 Dec 2020
Android apps still vulnerable to a major bug despite an existing patch
Google Android

Android apps still vulnerable to a major bug despite an existing patch

3 Dec 2020

Most Popular

350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020
IT Pro 20/20: Why tech can't close the diversity gap
Careers & training

IT Pro 20/20: Why tech can't close the diversity gap

1 Dec 2020