SAP Bug Still Exposing Companies Six Years After Being Patched!

We are constantly reminded about keeping our software up to date, from something like Word to the auto-updates of Windows 10. Amongst all the features and tweaks we often get with these updates, the first and foremost reason for fixes and updates is often security, with each update fixing another problem found in software. SAP had a rather bad bug back in 2010 before it updated its system to fix the problem. The issue now is that companies are still being caught by the vulnerability that was fixed six years ago.

The SAP function in question was found in the “invoker servlet”, giving hackers the ability to run Java applications without passwords or authentication credentials, essentially giving them a free pass to execute code without any issues. According to researchers at Onapsis, a security firm, the vulnerability is still being used to carry out attacks on over 36 different companies.

With companies involved in telecommunications or gas being affected by the breach, sensitive data, both about the company and their customers, is at risk while also giving an external source the ability to take control of their servers that process the data, opening up their systems to a whole different level of threat.

The invoker servlet was disabled by default in 2010, meaning that either the companies have decided to not update their systems since the fix or they’ve turned the servlet back on to make it run with something they use. While companies often have to be careful with updates, a simple bug fix like this could stop your entire system from communicating with the programs it needs to do its job, leaving such a big threat active on your system for so long can only be seen as a bad omen for the future.