Critical SAP Bug Allows Full Enterprise System Takeover

Today’s firedrill is…:

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS scale, has been disclosed for SAP customers.

SAP’s widely deployed collection of enterprise resource planning (ERP) software is used to manage their financials, logistics, customer-facing organizations, human resources and other business areas. As such, the systems contain plenty of sensitive information. According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.

The bug has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted. SAP delivered a patch for the issue on Tuesday.

“An attacker leveraging this vulnerability will have unrestricted access to critical business information and processes in a variety of different scenarios,” according to the firm.

Original article here