Over Half Of SAP Servers On The Internet Are Vulnerable To Attack, Researcher Says

  /     /     /  
Publicated : 22/11/2024   Category : security


Over Half Of SAP Servers On The Internet Are Vulnerable To Attack, Researcher Says


Critical flaws in leading ERP app to be demonstrated at Black Hat this week



A researcher has discovered a critical set of security vulnerabilities that afflicts more than half of SAP servers on the Internet.
At the Black Hat USA conference in Las Vegas this week, SAP security expert Alexander Polyakov will outline a new issue he has found with the industrys most popular enterprise resource planning (ERP) application, SAP.
The new class of vulnerabilities could enable an attacker to gain control of a companys financial flow, providing the path for espionage, sabotage, or fraud, Polyakov says in a
press release
.
The flaw, which Polyakov foun in the J2EE engine of SAPs NetWeaver software, allows and attacker to bypass authorization checks. For example, it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system, the release states. The attack works even when systems are protected by two-factor authentication.
To prove the vulnerability, researchers from Polyakovs company, ERPScan, created a program that detects SAP servers on the Internet. More than half of the servers detected with this new program displayed the authorization vulnerability.
During our research, we detected several examples [of the vulnerability] in the standard system configuration, Polyakov states in the release. And because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future.
ERPScan is offering a free program that can detect the vulnerabilities.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Over Half Of SAP Servers On The Internet Are Vulnerable To Attack, Researcher Says