Skip to main content
close search
site logo
Dive Brief

Homeland Security issues warning over SAP bug the company patched six years ago

Published May 12, 2016
By
Contributing Editor
SAP Logo. (PRNewsFoto/SAP AG)

Dive Brief:

  • A SAP vulnerability the company fixed six years ago triggered an alert to the security industry on Wednesday because many of the companies that use the software never ran the required security update, according to a Reuters report.

  • The U.S. Department of Homeland Security's Computer Emergency Response Team (US-CERT) issued the alert and warned SAP customers to fix the vulnerability in order to protect themselves from potential malicious attacks.

  • If left unpatched, the vulnerability can reportedly provide attackers remote control over older SAP systems.

Dive Insight:

US-CERT has issued only two other security warnings of this type so far in 2016.

"This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, told Reuters. "Still, most SAP customers are unaware that this is going on."

When SAP fixed the issue six years ago, it left the decision over whether to switch off an easy access setting to its customers. Clearly, not everyone did so. According to a report published Wednesday by Onapsis, 36 enterprises have shown signs of unauthorized access.

SAP issued a statement Wednesday and said all applications released since the company offered the patch six years ago are free of the vulnerability. 

Because SAP software often is managed inside companies as an internal system, there is often less concern about security. But even such internal systems can be compromised, security experts say, potentially giving malicious attackers access to all kinds of internal data. According to SAP, 87% of the top 2,000 global companies are SAP customers, so the potential implications are enormous.

In this case, the responsibility to update systems with security patches falls on the customers, not the software company. This week, the FTC and the FCC issued requests to mobile device manufactures and mobile carriers to provide data about their policies regarding mobile device security updates. The two agencies say they are seeking to better understand and hopefully improve the security of mobile devices.

Recommended Reading

Filed Under: Security, Software

Editors' picks

Company Announcements

View all | Post a press release
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
truCX Launches Groundbreaking Partner Portal, Empowering CX Consultants and Trusted Advisors w…
From truCX
October 30, 2024
Productboard Launches AI-Powered Productboard Pulse To Integrate Voice of Customer Into Produc…
From Productboard
October 29, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell