April 7, 2021
Security Alert | SAP Vulnerabilities Under Active Attack

SAP and Onapsis security researchers have released a threat intelligence report detailing the active exploitation of critical SAP application vulnerabilities. Multiple “advanced threat actors” are carrying out a range of attacks with techniques that could lead to full control of unsecured applications. Affected organizations may experience:

  • Theft of sensitive data
  • Financial fraud
  • Disruption of mission-critical business processes
  • Ransomware
  • Halted operations

Attempts at chaining vulnerabilities to achieve privilege escalation for OS-level access have been observed, expanding the potential impact beyond SAP systems and applications. In some cases, attackers are patching exploited vulnerabilities after accessing a victim’s environment, a technique often used to deploy backdoors on seemingly patched systems to evade detection and maintain persistence.

Who Is at Risk?

The vulnerabilities being exploited are known, and patches have been available for months. However, many organizations have still not applied the relevant mitigations, allowing unprotected SAP systems to remain visible to attackers via the internet.

Any SAP customer that has not yet addressed these vulnerabilities is at risk and—as the report points out—the consequences could be far-reaching:

“These are the applications that 92% of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy. With more than 400,000 organizations using SAP, 77% of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more.”

What You Can Do

  • Conduct a thorough review of your SAP landscape and apply the relevant security patches.
  • Download the Threat Intelligence Report for details of the vulnerabilities/CVEs, the specific tactics, techniques and procedures (TTPs) threat groups are using, and detailed mitigation information.
  • Perform a compromise assessment and forensic investigation of at-risk environments.
  • Attend a live Q&A session on April 8 or April 12 with SAP CISO Richard Puckett.
  • Contact us. We can help you evaluate your environment, detect malicious activity, and remediate any weaknesses that could result in compromise.


About the Author
CBI, A Converge Company
CBI Cybersecurity
CBI, A Converge Company, is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...