Internet Facing SAP Vulnerability

Thursday, November 3, 2016 @ 02:11 PM gHale


A SAP Zero Day vulnerability patched two months ago still affects more than 900 SAP systems facing the Internet, researchers said.

Attackers could leverage the vulnerability to remotely obtain the list of SAP users from the system, said Quenta Solutions’ Sergiu Popa, who reported the issue to SAP.

RELATED STORIES
SAP Patches Vulnerabilities
Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched
Security: Ease the Pain …

By exploiting this vulnerability, an attacker could obtain information such as usernames, user IDs and even emails. An attacker obtaining the username and email can use them to launch phishing attacks or to spam users with malware.

SAP patched the information disclosure vulnerability in September.

With over 15 percent of all SAP systems exposed to the Internet vulnerable to this issue and with patches usually slow to roll-out, users might still suffer from an attack.

The vulnerability impacts at least 941 SAP Systems exposed to the Internet, but this is not the first issue of the kind to have been resolved by SAP. In fact, the company just patched two similar flaws in other applications.



Leave a Reply

You must be logged in to post a comment.