US cyber officials urge patching of bug affecting up to 40K SAP customers

The last month has been a bonfire of critical software bugs.
SAP software is used throughout the Fortune 500. The company is dealing with a critical software bug disclosed this week. (Getty Images)

A critical vulnerability in applications made by software giant SAP could affect up to 40,000 SAP customers, offering a pathway for hackers to remotely steal or alter data, researchers warned Tuesday.

At least 2,500 SAP systems with the vulnerability were exposed to the internet, making life easier for anyone who would want to exploit the bug, said researchers from Boston-based security company Onapsis. Exploiting the vulnerability could give a hacker administrative access to SAP software housing business and financial data, they said.

The scope of the affected organizations and the importance of the SAP software to businesses prompted the Department of Homeland Security’s cybersecurity arm to issue an alert late Monday urging organizations to address the issue. “Due to the criticality of this vulnerability, the attack surface this vulnerability represents, and the importance of SAP’s business applications, the Cybersecurity and Infrastructure Security Agency strongly recommends organizations immediately apply patches,” CISA told affected organizations.

SAP, which boasted $31 billion in revenue last fiscal year and some of the world’s biggest companies as clients, released a security fix and urged customers to apply it. A spokesperson for the company declined to comment on Onapsis’s estimate that 40,000 SAP customers were affected.


There haven’t been any reports of malicious hackers exploiting the vulnerability in attacks, according to CISA. But there are concerns that, with a patch available, attackers could reverse-engineer an exploit within days.

Among other underlying code, the vulnerability affects SAP’s Enterprise Portal software, which clients use to manage financial and personnel data, according to Onapsis. Also implicated is the software that allows an organization’s SAP and non-SAP systems to talk to each other.

“The impact of this flaw is what makes it different from other SAP vulnerabilities,” said Onapsis’s Pablo Artuso, who discovered the bug. “Because it resides in a common layer, it means that several SAP products are vulnerable — not only internet-facing products, but also ones that are highly connected with other SAP systems such as Solution Manager.”

The software flaw “could have a significant impact on financial systems or other critical areas of an organization,” said Tony Cole, CTO of cybersecurity company Attivo Networks. He called it “a stark reminder that in our industry we always want to stay on our toes and have the right processes in place long ahead of a critical vulnerability announcement.”

It is one of multiple critical bugs to be disclosed in enterprise software in the last two weeks, following vulnerabilities found in Palo Alto Networks and F5 Networks products. The flurry of bugs has led some analysts to wonder if there’s an underlying problem in coding practices in the industry.


“When you have a high-impact vulnerability on your platform, it’s a great time to go back and look at your software development life cycle,” said Charles Dardaman, senior adversarial engineer at security firm CriticalStart. “A lot of times, companies have bolted security on at the end rather than integrated it into their development processes.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts