Security News > 2021 > April > SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers

SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems.

In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "Conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications," and warned time was of the essence, reporting "SAP vulnerabilities being weaponized in less than 72 hours since the release of patches."

For newly provisioned SAP applications in cloud environments, discovery and attack can occur in as little as three hours, the report says.

While, yes, patches are rapidly weaponized all the time in the information security world, it's interesting to see it quantified and highlighted by SAP. In conjunction with the SAP/Onapsis alert, the US government's Cybersecurity and Infrastructure Agency issued its own warning, stating "SAP systems running outdated or misconfigured software are exposed to increased risks of malicious attacks."

The SAP/Onapsis report says that over 300 successful exploitation attempts on unprotected SAP instances have been documented since mid-2020.

The security firm's advice is about what you'd expect: identify any SAP applications vulnerable to these CVEs, test the fixes, and apply them pronto ... without breaking business-critical applications and lowering staff productivity, of course.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/04/06/sap_patch_attacks/