As IT Security professionals we are all acutely aware of the growing number of cyber attacks and data breaches affecting government organisations and businesses around the world.

Successfully exploiting some known SAP vulnerabilities can give hackers complete control, allowing them to steal data, commit financial fraud, or cause major business disruption through ransomware demands.

Along with our partners at Protect4S and Appsian, we see first hand where the most common vulnerabilities exist and why organisations continue to leave themselves exposed to cyber attacks. Here’s our top 5…


(1) Not applying the latest SAP Security Notes

We know that applying SAP security Notes, or patches, can be an arduously manual task and one that perhaps sinks to the bottom of the list of things to do (or they might be at the bottom of your Application Service Provider’s list of things to do!)

We therefore see many such patches, even those scoring highly in the CVSS vulnerability scale, not being applied. This leaves organisations open to hackers taking total control of some of their business applications through publicly available scripts. According to a recent joint report by SAP and Onapsis, the earliest cyber attack was recorded within just 72 hours after SAP released patches. The same report sites that some un-patched SAP applications deployed to the cloud were discovered and exploited within less than three hours.

Fast, automated, patching ensures that the window of opportunity between an SAP patch being released (i.e. the vulnerability being made public) and the remediation is as short a time as possible.

Fast, automated, patching ensures that the window of opportunity between an SAP patch being released (i.e. the vulnerability being made public) and the remediation is as short a time as possible.

(2) Leaving default settings in SAP and SAP system accounts

An obvious one but, amazingly, we still find that many SAP systems still have some default settings and default account passwords in effect, even after many years of being in Production.

Unfortunately, it is easy to find publicly available scripts and code to exploit these to create new accounts and perform fraudulent activity or steal sensitive and valuable data.


(3) No Real Time Enforcement (Dynamic Access Controls) or Behaviour Monitoring - your last line of Defense!

As crucial as patching is, there could be new, as yet unknown, vulnerabilities within your SAP systems. Or, internal exploitation could be taking place through the use of ‘Superuser’ accounts, system accounts, or via access to multiple accounts. The two most effective ways to identify and mitigate this risk is through Behaviour Monitoring and Real-Time Enforcement.

Effective Behaviour Monitoring can detect;

  • Unusual Behaviour, such as accounts being used at unusual hours of the day, or perhaps two accounts being used from the same IP address in an attempt to avoid SoD detection
  • Undesirable Behaviour, regardless of whether the account has the authority or not to perform the activities, such as an Emergency Access account attempting to download sensitive employee data.

Real-Time Enforcement (or Dynamic Access Controls) can be used to prevent or limit any undesirable activity, such as blocking the usage of certain transactions outside of the internal network, or to immediately force log-out and lock any account accessing sensitive data.

Real-Time Enforcement (or Dynamic Access Controls) can be used to prevent or limit any undesirable activity, such as blocking the usage of certain transactions outside of the internal network, or to immediately force log-out and lock any account accessing sensitive data.

(4) Not understanding or monitoring the connections between SAP systems and third-party systems

One of the most difficult and complex areas of SAP security is the ability to map, analyze, and monitor the hundreds, if not thousands, of systems connections and integrations between SAP systems and third party systems.

Vulnerabilities exist in their multitude which, even when closed down, are easily re-opened again via daily changes being made within networks, adding new integrations, and new user accounts. A commonly seen vulnerability is the ability for powerful non-Production accounts being used to hop over RFC connections and use their credentials within Production Systems.


(5) The SAP Security focus has been largely geared towards internal GRC SoX/SoD controls leaving organisations blindsided by the ever growing number of SAP 'system level' cyber threats, especially when moving to the cloud

Internal GRC controls are quite rightly given a high focus but, unfortunately, we do not see the same importance and attention being applied to protecting SAP systems at the application, database, and O/S layers. Many organisations assume that their technical teams or Application Service Providers are taking care of this level of security and monitoring but unfortunately this seems to rarely be the case.

Also, as important as regularly applying SAP Notes and patches is, it is not enough to eradicate vulnerabilities that arise from the often daily changes being made to your system configuration, accounts, networks and integrations, all of which  introduce new vulnerabilities.

Moving your SAP systems to the cloud should only be done after extensive vulnerability scanning and remediation has taken place, which should of course continue on a regular basis once in the cloud.

Continuous scanning, monitoring, and remediation at all levels is the only way to keep your business safe from the ever growing threats of cyber crime.


Grey Monarch have specialised in SAP security since 2008 and, along with our key partners, Appsian and Protect4S, we can offer SAP customers software, automation, and consultancy to delivery highly secure SAP environments.



What Now? ...

Learn More about our SAP Vulnerability Scanning as a Service

Book a Demo

Contact Us