As many as 50,000 companies running software by SAP could face a bigger risk of being hacked because a years-old vulnerability hasn’t been patched.
That’s according to Onapsis, the security firm, which told Reuters it found new ways to exploit weaknesses in systems that weren’t patched correctly. Despite the fact that SAP issued information on how to correctly patch the vulnerability in 2009 and 2013, around 90 percent of affected SAP systems haven’t been secured.
“Basically, a company can be brought to a halt in a matter of seconds,” Onapsis Chief Executive Mariano Nunez told the news outlet. “With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there — so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.” In response to Onapsis, SAP told Reuters it always “strongly recommends” customers install security fixes as soon as they are issued. The company went on to say that the vulnerability underscores the need on the part of clients to implement the patches when they’re released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.
The weakness pertained to the way SAP applications communicate within an organization. If the security settings aren’t configured properly, a hacker can trick a company application into thinking it is talking to another SAP app and get access to the network. Given that the German software company’s software is used by more than 90 percent of the largest 2,000 companies in the world, attacks on those systems could be devastating, security experts said in the report, which noted SAP customers distribute 78 percent of the food for the world and 82 percent of the medical devices. Researchers at Onapsis said the firm is naming the vulnerability “10KBLAZE,” according to the report, a name chosen due to the threat it poses to business-critical applications. If they are hacked it could result in “material misstatements” in U.S. financial filings, noted the report.