The flaw can be exploited remotely, ARN reported, without the need for a username or password. As many as 40,000 SAP users could be affected, according to data from security firm Onapsis. There are around 2,500 vulnerable SAP systems directly exposed to the internet, and attackers who gain access to those can potentially do so to other networks.
The flaw lets cyberattackers create new users with administrative roles that could bypass the access controls and segregation of duties.
This opens up networks to a myriad of different kinds of attacks. They could be subject to thefts of customers’ and employees’ personally identifiable information; financial records could be modified or deleted; and purchasing processes could be changed. The attack could also have the effect of disrupting the system with downtime, causing financial losses, ARN wrote.
According to Onapsis, attackers accessing the administrative process “will allow the attacker to manage (read/modify/delete) every database record or file in the system,” and could have effects on financial privacy compliance, ARN reported
The vulnerability is tracked as CVE-2020-6287 and is in the SAP NetWeaver Application Server Java, the software stack under most SAP applications, according to ARN. Java’s versions 7.30 to 7.50 are affected, including the newest one, along with all SAP support packages.
While primarily SAP applications have been affected, SAP systems are also typically connected with other kinds of third-party structures that exchange data via application programming interfaces (APIs). If those systems are also compromised, ARN reported that the attacks could access their credentials as well. Also, attacks on the SAP Enterprise Portal pose a risk for the copious amounts of B2B and business data held on its servers, according to Onapsis CEO Mariano Nunez.