Hackers are currently exploiting several security vulnerabilities in popular mission-critical SAP applications. The vulnerabilities enable full takeover and give access to the targeted vulnerable organizations.
Several Critical Vulnerabilities in SAP Applications
According to the official CISA announcement of the attacks, “on April 6 2021, security researchers from Onapsis, in coordination with SAP, released an alert detailing observed threat actor activity and techniques that could lead to full control of unsecured SAP applications.”
If successful, the organization undergoing the attack could be exposed to data theft, financial fraud, disruption of mission-critical processes, halt of all operations, and ransomware.
The good news is that SAP quickly addressed all of the critical flaws, and patches are now available for customers for months, and in some cases, even for years. The bad news is that both SAP and Onapsis are still witnessing the lack of timely mitigations in many organizations, leaving the exploit window open for attackers.
Another Critical Flaw in SAP Commerce Platform
Earlier this year, SAP addressed a critical vulnerability in its Commerce platform.
CVE-2021-21477 could allow threat actors take advantage of the SAP application used by e-commerce businesses, leading to remote code execution. The flaw affects SAP Commerce versions 1808, 1811, 1905, 2005, and 2011. Its severity score is 9.9 out of ten according to the CVSS scale, making the impact critical. Mitigating the vulnerability as soon as possible is highly advisable.
A patch was promptly released but it was only partial, it addressed the default permissions when initializing a new installation of the platform.
“For existing installations of SAP Commerce, additional manual remediation steps are required. The good news is that for existing installations, these manual remediation steps can be used as a full workaround for SAP Commerce installations that cannot install the latest patch releases in a timely manner,” explained security researcher Thomas Fritsch from Onapsis.