Crooks are getting smarter about exploiting SAP software, study finds

A critical bug in SAP software could be a ticket for a criminal to steal a paycheck or employees’ personally identifiable information.
SAP headquarters in Germany (Photo by Thomas Lohnes/Getty Images)

Security researchers on Tuesday warned of the unrelenting interest that cybercriminals have in exploiting applications made by software giant SAP to defraud or disrupt big businesses that rely on SAP products.

A months-long study by Boston-based security firm Onapsis found that malicious hackers are growing more knowledgeable of SAP software and the potential impact that compromises could have on customers.

In one case, an unidentified attacker managed to chain together multiple software exploits to target an SAP “credential store,” which stores login details for an organization’s high-value SAP users. Access to the credential store could give a hacker the ability to exploit other applications that interact with those credentials.

SAP has 400,000 customers worldwide, including more than half of NATO members. A big swath of the world’ largest public companies use the software to manage their business processes. A critical bug in SAP software could be a ticket for a criminal to steal a paycheck or employees’ personally identifiable information.   


The roughly 300 exploitations of SAP vulnerabilities observed by Onapsis were all in a “honeypot,” or simulated network that was exposed to the internet and running outdated software. SAP said it didn’t know of any customer breaches related to the activity.

Still, the plethora of criminal groups exploiting the bugs has SAP executives publicly appealing for customers to update their software.

“We’re concerned about customers that have not applied the fixes for months or years to date,” said Tim McKnight, SAP’s chief security officer.

The Department of Homeland Security’s cybersecurity agency publicized the research and encouraged SAP customers to harden their networks.

“We observe attackers using multiple SAP threat vectors and vulnerabilities to get into the system,” Onapsis CEO Mariano Nunez said in a press call. “So we’re talking about a level of intent and capability that is higher than the spray-and-pray type of activity.”


Nunez has made a name for himself picking apart key corporate-management software made by SAP and Oracle. Onapsis last year revealed a critical bug in SAP software that the researchers said affected 40,0000 SAP customers.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts