- The average number of security patches for SAP products per year has
Nonetheless, it doesn’t mean that the number of the issues has dropped too.
SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a
particular one. The new approach simplifies patching process since system administrators need to
implement a fewer number of updates. However, it complicates analysis and correlation with CVE,
as SAP doesn’t provide any public information about how many vulnerabilities every patch
- The list of vulnerable platforms has extended and now it includes
modern cloud and mobile technologies such as HANA.
Because of cloud and mobile technologies, new SAP Systems became more
exposed to the Internet and thus every vulnerability identified in these services can affect
thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). If
any of these vulnerabilities is exploited by a hacker, the world’s economy will face dreadful
consequences. For example, the latest reported issues in SAP Mobile affect more than a million
of mobile devices and SAP HANA vulnerability affects 6000+ SAP HANA users.
- There are vulnerabilities in almost every SAP module; CRM, EP, and SRM
are leaders among them.
Without a doubt, cybersecurity level varies from module to module.
According to our study, the most vulnerable products are CRM, EP, and SRM. However, one
shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps. The traditional
SAP modules like ones mentioned before were introduced about two dozens of years ago, but the
first vulnerabilities were discovered just several years ago, i.e. SAP HANA and SAP Mobile apps
attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional
- The number of vulnerabilities in industry-specific solutions has grown
SAP has a set of products designed for particular industries. More than 160
vulnerabilities have been detected in the Industry solutions. The most susceptible types of
industry solutions are SAP for Banking, Retail, Advertising Management, Automotive, and
- Threat landscape is growing worldwide affecting 36000
It is increasing especially in countries, which are unaware of SAP
Cybersecurity. Almost 36000 SAP Systems were identified including different services vulnerable
to cyberattacks. Most of those services (69%) should not be exposed directly to the
- Consequences of the incidents are becoming more and more
We stated in 2013 that the interest in SAP platform security was growing
exponentially. We predicted that SAP systems could become a target both for direct attacks (e.
g. APT) and for mass exploitation because a range of simply exploitable and widely installed
services accessible from the Internet. Since 2013, we have witnessed 4 major cyber incidents
related to SAP Security.
- Critical IoT Infrastructure is at risks.
SAP does not only manage enterprise resources but also acts as a mediator
between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical
- Almost half of unnecessarily exposed services is located in 3
Numerous unnecessarily exposed services are implemented in countries where
wide adoption of new technologies takes place (such as USA, India, and China).
- The number of SAP Security talks delivered at different conferences
worldwide correlates with the number of unnecessarily exposed services (Comparing to the total
number of implemented systems).
Countries where the highest number of SAP Security presentations were
delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP
system installations than countries where SAP researchers did not present their studies. ERPScan
is proud to be invited to speak in 25 different countries across 6 continents including such
places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security
- The Previous report helped to decrease the number of exposed SAP
systems with critical issues
While the number of publicly available SAP Services is growing, the number
of systems with high-critical vulnerabilities in easily accessible services presented in the
previous report has decreased, we hope, not least due to our previous SAP Security in Figures
research released in 2013. However, new issues with equal criticality were described in this