More than 36 organizations—some in the gas, telecommunications, and steel manufacturing industries—have been breached by attackers exploiting a vulnerability in older SAP business applications that gives them remote access to highly confidential data, the US government-sponsored CERT warned Wednesday.
The attacks were carried out over the past three years by attackers exploiting the "invoker servlet," which is a set of functions in SAP applications that allows users to run Java applications without use of a password or other authentication measure. Attackers outside the targeted organizations have abused the feature to gain access to sensitive data and possibly to take control over servers that process the data, according to researchers at security firm Onapsis.
"The exploitation of this vulnerability gives remote unauthenticated attackers full access to the affected SAP platforms, providing them with complete control of the business information and processes run by them, as well as potentially further access to connected SAP and non-SAP systems," company researchers wrote in a blog post published Wednesday.