Onapsis Helps SAP Customers Identify and Fix Widespread Critical Security Configuration Risk

Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, revealed a critical security configuration vulnerability that results from default installations in SAP systems which, if left insecure, could lead to a full system compromise in unprotected environments.

If exploited, the impact could allow full control of the system by hackers, putting business-critical ERP, HR, PII, Finance, and Supply Chain data and processes at risk.

The vulnerability, mainly driven by a security configuration originally documented by SAP in 2005, is still present in the majority of SAP implementations, either from neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems.

Onapsis has spent the past six months reaching out to SAP customers to alert them and help ensure they are addressing the risk in their landscapes. After analyzing hundreds of real SAP customer implementations, Onapsis found that 9 out of 10 SAP systems were vulnerable before the Onapsis Business Risk Assessment or Onapsis Security Platform implementation.

The vulnerability is found in SAP Netweaver and can be compromised by a remote unauthenticated attacker having only network access to the system. Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down.

SAP Netweaver is the foundation of all SAP deployments. The vulnerability affects all versions of SAP Netweaver, representing 378,000 customers worldwide and 87 percent of the Global 2000. This risk still exists within the default security settings on every Netweaver-based SAP product, including the latest versions such as cloud and the next generation digital business suite S/4HANA.