Security News > 2020 > July > Critical flaw gives attackers control of vulnerable SAP business applications

SAP has issued patches to fix a critical vulnerability that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker.

The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning, SAP Supply Chain Management, SAP HR Portal, and others.

"If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications. The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability," the US Cybersecurity and Infrastructure Security Agency explained.

"Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP's business applications, the Cybersecurity and Infrastructure Security Agency strongly recommends organizations immediately apply patches. CISA recommends organizations prioritize patching internet-facing systems, and then internal systems," the agency noted.

Onapsis researchers say that a scan they performed showed 2,500 vulnerable SAP systems exposed to the internet.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/vAYJjC9Q4Qg/