Homeland Security warns of hackers exploiting SAP security flaw

Homeland Security has warned that hackers are exploiting a security vulnerability in SAP business software — a flaw that dates back to 2010.

The department’s Computer Emergency Readiness Team (CERT) sent an alert on Wednesday warning that at least 36 unnamed organizations are running misconfigured or outdated software, which could leave them prone to remote attacks by hackers.

One of the affected enterprises is said to be one of the top-ten highest annually grossing global companies, and more than a dozen generate over $10 billion in annual revenue per year.

According to the alert, a hacker that successfully exploits the vulnerability can gain full access and complete control to an affected SAP platform — that includes business information and processes on those systems.

The flaw, found in the Invoker Servlet, was fixed in 2010 but persists in outdated software used by many modern businesses.

The flaw affects a number of the company’s most popular business applications, including SAP Enterprise Resource Planning (ERP) and SAP Customer Relationship Management (CRM).

A spokesperson for SAP said in an emailed statement that the vulnerable component was disabled in 2010.

“All SAP applications released since then are free of this vulnerability,” the spokespersons said. “Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20.”

It’s the third alert by the government agency so far this year.

Onapsis, a security firm was credited with finding the flaw, said it had alerted customers that were affected by the flaw, and worked closely with Homeland Security to ensure that affected companies were able to mitigate the risks associated with the flaw.