ERPScan’s researchers — at the Troopers security conference — have disclosed the details of two vulnerabilities that allow compromising SAP CRM system.
This application stores business-critical data such as clients’ personal information resulting into reputational and cost losses.
Troopers security conference is an annual event with a special track focused on SAP security.
SAP, a software company based in Germany, was not available for comments on the security threat to its CRM customers.
“It takes nothing to exploit these vulnerabilities. Perpetrators can remotely read any file in SAP CRM without authentication. We scanned the Internet and found nearly 500 SAP servers that are prone to it,” said Vahagn Vardanyan, senior security researcher of ERPScan.
ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. ERPScan said that the two bugs can wreak havoc in any company running SAP CRM.