Skip to main content

SAP security flaw leaves thousands at risk

(Image credit: Image Credit: Balefire / Shutterstock)

Almost 50,000 companies that run SAP software are at risk of data breaches, new research has claimed.

A report from security researchers at Onapsis found new ways of exploiting vulnerabilities of systems that have not been properly protected.

The vulnerabilities, and the tools, have been published online.  Onapsis is calling the exploits 10KBLAZE, because of the threat they pose to “business-critical applications”.

SAP said it published guidelines on how to properly set up the system in 2013, but Onapsis says 90 per cent of systems aren’t doing it properly.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there – so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP said: “SAP always strongly recommends to install security fixes as they are released.”

Security experts are saying that such attacks could be ‘hugely damaging’ for everyone involved. SAP’s customers collectively distribute 78 per cent of the world’s food, according to Reuters (opens in new tab), and 82 per cent of global medical devices.

Edit: 

Following the release of the article, SAP has reached out with a statement which we share below, in full:

"SAP is aware of recent reports about vulnerabilities in SAP Gateway and Message Server, however these have been patched by SAP a few years ago. Security notes 821875 (opens in new tab),1408081 (opens in new tab) and 1421005 (opens in new tab) released in 2009 and 2013 will protect the customer from these exploits. As always, we strongly advise our customers to apply these security notes immediately and ensure secure configuration of their SAP landscape.

SAP takes the security of customer data seriously. The recommendations published in the white papers A Practical Guide for Securing SAP® Solutions (opens in new tab) and Securing Remote Function Calls (RFC) (opens in new tab) emphasizes secure configuration of SAP landscape. Customers can enable related security checks in the EarlyWatch Alert (note 863362 (opens in new tab)) and the SAP Security Optimization Service (https://support.sap.com/sos (opens in new tab))

SAP stands for secure and reliable software solutions. As the global leader in business software, SAP has based its development processes on a comprehensive security strategy (“Prevent – Detect – React”) across the enterprise that relies on trainings, tools and processes to enable the delivery of secure products and services.

Image Credit: Balefire / Shutterstock

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.