A SAP vulnerability the company fixed six years ago triggered an alert to the security industry on Wednesday because many of the companies that use the software never ran the required security update, according to a Reuters report.
The U.S. Department of Homeland Security's Computer Emergency Response Team (US-CERT) issued the alert and warned SAP customers to fix the vulnerability in order to protect themselves from potential malicious attacks.
- If left unpatched, the vulnerability can reportedly provide attackers remote control over older SAP systems.
US-CERT has issued only two other security warnings of this type so far in 2016.
"This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, told Reuters. "Still, most SAP customers are unaware that this is going on."
When SAP fixed the issue six years ago, it left the decision over whether to switch off an easy access setting to its customers. Clearly, not everyone did so. According to a report published Wednesday by Onapsis, 36 enterprises have shown signs of unauthorized access.
SAP issued a statement Wednesday and said all applications released since the company offered the patch six years ago are free of the vulnerability.
Because SAP software often is managed inside companies as an internal system, there is often less concern about security. But even such internal systems can be compromised, security experts say, potentially giving malicious attackers access to all kinds of internal data. According to SAP, 87% of the top 2,000 global companies are SAP customers, so the potential implications are enormous.
In this case, the responsibility to update systems with security patches falls on the customers, not the software company. This week, the FTC and the FCC issued requests to mobile device manufactures and mobile carriers to provide data about their policies regarding mobile device security updates. The two agencies say they are seeking to better understand and hopefully improve the security of mobile devices.