SAP Security vulnerability affects SAP customers worldwide

Share Article

Research by ERP-SEC has led to the discovery of several default SAP accounts that exist in many SAP systems worldwide with a default password. This leaves SAP systems worldwide vulnerable to risks like theft of business critical data, business process disruption, fraud, etc.

The vulnerability has been demonstrated at the Troopers Security Conference, an annual Security Conference with a specific track dedicated to SAP Security. Mr. Joris van de Vis, researcher at ERP-SEC demonstrated full compromises of the SAP Solution Manager and connected systems via 3 of these default accounts.

As the vulnerability is a set of default credentials, it is not possible to implement patches in order to mitigate the issue. Instead customers need to change the passwords of these users. SAP has released a Security Note in order to support SAP customers with this process.

As stated by Joris van de Vis, “The impact of these default users is very high. Especially since they exist in the heart of your SAP landscape, the SAP Solution Manager. If this system gets compromised your entire SAP landscape is likely to be fully compromised. The precise percentage of affected customers is unclear, but a quick check under some of our customers shows at least 50% of them have one or more of these default users with a default password in their systems. This only affects long-time SAP customers as new installations are not affected.”

Detecting whether these accounts exist with default passwords can be a difficult process. To make this easier, ERP-SEC has released a Free tool for SAP running customers to support them.

About ERP Security B.V.
ERP Security B.V. consists of specialists and developers experienced in SAP security. The company’s solutions are based on years of security research that has helped reduce security risks for systems running SAP software. ERP Security's mission is to raise the security of business-critical SAP platforms with minimal impact on day-to-day business.

                        # # #

SAP, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. See for additional trademark information and notices. All other product and service names mentioned are the trademarks of their respective companies.

For more information: Please contact Mr. Robin Vleeschhouwer: rvleeschhouwer(at)erp-sec(dot)com

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Joris van de Vis
ERP Security
+31 647100101
Email >
since: 03/2013
Follow >
Visit website