Misconfigured SAP systems vulnerable to ’10KBlaze’ cyberattacks

Misconfigured SAP systems

Security researchers have discovered nearly 50,000 misconfigured SAP systems may be vulnerable to exploits dubbed “10KBlaze” and could lead to the full compromise of SAP applications.

In a new research report, Onapsis Research Labs spotted last month several new exploits that target “administrative misconfigurations” in multiple SAP NetWeaver installations (to include SAP S4/HANA).

“We estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide. We recommended you review and apply all relevant SAP security notes immediately,” Onapsis noted in a blog post.

Impacted SAP applications include: SAP Enterprise Resource Planning (ERP), SAP Product Lifecycle Management (PLM), AP Customer Relationship Management (CRM), SAP Human Capital Management (HCM), SAP Supply Chain Management (SCM), SAP Supplier Relationship Management (SRM), SAP NetWeaver® Business Warehouse (BW), SAP Business Intelligence (BI), SAP Process Integration (PI), SAP Solution Manager (SolMan), SAP Governance, Risk & Compliance 10.x (GRC) and SAP NetWeaver ABAP® Application Server 7.0 – 7.52.

According to Onapsis, SAP administrators should configure and harden their SAP systems/applications according to SAP security guidelines. Based on the report, however, it appears many SAP customers may not have followed those security recommendations.

The impact of such exploits could result in bad actors creating new users with arbitrary privileges on SAP systems, thus allowing the attackers to “view and modify critical and sensitive business data.”

Onapsis also released two open source intrusion detection signatures (via Snort rules) that can help SAP customers monitor for the 10KBlaze threat. You can download the full Onapsis report for more details.