Enterprise resource planning (ERP) software-focused SAP and cloud consulting firm Onapsis have released a warning about vulnerabilities in unpatched SAP systems. Onapsis, who organized the research, identified hundreds of automated exploitation attempts over the past year. These break-ins were attempted on customers' systems or their own cloud systems and not on SAP-hosted cloud environments. Such attacks are possible as there are millions of servers running software from SAP on the cloud. The company releases dozens of small patches every day. However, the unapplied patches were ones that SAP released weeks, months, and in some cases, years ago.
Maintaining the SAP system landscapes and applying patches takes time and often extensive testing. Most large companies carry out multiple levels of patching, tackling vulnerabilities as they come while prioritizing key functional service packages on a monthly or quarterly basis. However, users cannot patch their own systems to resolve these issues, but they can help their support organization in testing the latest patches. According to the research, Onapsis noted that the hackers used tooften patch the backdoor they used for entry. This helped them mask the vulnerability so that the main issue could not be resolved,and they always had a vulnerability to infiltrate.
Any disruption in the service can affect most users dependent on a system. It could also affect users of other integrated systems, as SAP is generally the system of record where it's installed, feeding dozens of other systems. The best way to defend against these attacks is through good planning and communication. The business users and technical support must work together to identify any vulnerability and keep the systems secure.