A critically vulnerable default security configuration in SAP systems that was first observed 13 years ago continues to exist in many current implementations, warns a new threat report from the ERP platform security experts at Onapsis.

The insecure configuration is specifically found within SAP Netweaver, a solution stack that serves as the technical foundation for many SAP applications. Unauthorized attackers with network access to these poorly configured systems can exploit the vulnerability to compromise the platform, modify or extract its data, or shut the system down, the report states.

A 2017 review of hundreds of Onapsis clients who use SAP found that roughly 90 percent were vulnerable -- a number that becomes daunting when extrapolated across a customer base of 378,000, says Onapsis in an Apr. 26 blog post, which states the problems result from either "neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems." 

Onapsis reports that the flaw was first documented in 2005 and affects all past and current versions of Netweaver-based SAP product, "including the latest versions such as cloud and the next generation digital business suite S/4HANA."

Noting that a patch has been available to SAP users for "quote some time," Onapsis says it finally went public with its findings after six months of reaching out to some SAP customers and helping them address the issue.

Seba Bortnick, head of research labs at Onapsis, alluded to the "insecure by default" vulnerability earlier this month in a cable car interview with SC Media at RSA 2018 in San Francisco.