• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year

2

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

3

Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster

1

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year

2

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

3

Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster
TechChanging Face of Security

Here’s Why a Bug Patched by SAP Is Sounding U.S. Government Alarms

By
Reuters
Reuters
Down Arrow Button Icon
By
Reuters
Reuters
Down Arrow Button Icon
May 11, 2016, 10:34 AM ET
Inside SAP AG Headquarters As Largest Maker Of Business-management Software Targets Cloud Push
The SAP AG logo sits on display inside an office in the business-software maker's headquarters in Walldorf, Germany, on Monday, Feb. 24, 2014. SAP AG co-Chief Executive Officer Bill McDermott, targeting the growing online software market, said he plans to tap a greater portion of customers' spending. Photographer: Krisztian Bocsi/Bloomberg via Getty ImagesPhotograph by Krisztian Bocsi — Bloomberg via Getty Images
Add Fortune on Google for similar content.

Europe’s biggest software company, SAP, is the subject of a U.S. security alert over a vulnerability the firm disabled six years ago that can still give outside attackers remote control over older SAP systems if the software is not properly patched.

SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.

The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued an alert to the security industry on Wednesday advising SAP customers what they need to do to plug the holes. It is one of only three such security warnings the agency has issued so far this year. Details are at https://www.us-cert.gov/ncas/alerts/TA16-132A.

Dozens of companies have been exposed to these security gaps in recent years, and a far larger number of SAP customers remain vulnerable, said Onapsis, a firm that specializes in securing business applications from SAP and rival Oracle.

Get Data Sheet, Fortune‘s technology newsletter.

“This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, told Reuters in advance of the U.S. security alert. “Still, most SAP customers are unaware that this is going on.”

SAP, whose software acts as the corporate plumbing for many multinationals and which claims 87% of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.

SAP issued a statement that the vulnerable feature was fixed when the company introduced the software update six years ago. “All SAP applications released since then are free of this vulnerability,” the company said in an emailed statement.

However, it acknowledged that these changes were known to break—or disable—customized software developments that many customers had implemented using older versions of SAP’s programming language.

The problem continues because a sizable number of big SAP customers are known to depend on these older versions of the software that in many cases date back years, or in extreme examples, even decades.

The alert underscores how SAP software often is managed inside companies as an internal system, without heightened awareness it is susceptible to the sort of attacks that public-facing websites, email systems and networks suffer daily.

The trouble is less of a software issue than one of accountability for how such bugs get fixed, security experts say. Customers rely on a chain of consultants, external audit firms and specialized internal SAP security teams to decide when to install patches without risking destabilizing their systems.

SAP produces dozens of software patches each month to fix bugs in its software.

It is by no means unique. Microsoft, for example, pushes out similar patches on the second Tuesday of each month to millions of office network administrators, who must decide when to apply these fixes, a process dubbed “Patch Tuesday.”

But in the case of SAP, an unknown number of customers have not applied the fix. Security experts say because SAP systems contain sensitive financial, human resources and business strategy information, that means SAP security typically is the responsibility of specialists familiar with the complexities of the underlying business applications, rather than company-wide security teams who focus on outside cyber security threats.

SEGREGATION

Thirty-six enterprises have been found to have telltale signs of unauthorized access, according to a report to be published on Wednesday by Boston-based Onapsis and given to Reuters in advance.

Since 2013, the vulnerabilities of the 36 enterprises have been detailed on a Chinese-language online discussion forum, where methods for exploiting outdated or misconfigured SAP NetWeaver Java systems are openly described, Nunez said.

The targets were both prominent Chinese domestic companies and foreign joint ventures, Reuters confirmed.

Onapsis has subsequently found other susceptible SAP customers in the United States, Germany, and Britain, Nunez said, but he declined to name them.

The targets range from telecommunications to utilities, retail, automotive and steel firms and include more than a dozen with annual turnover of at least $10 billion, Onapsis said.

“We regard these (known victims) as just the tip of the iceberg, as well as an irrefutable answer to the question: ‘Are SAP applications being attacked?'” Onapsis said in its report. Onapsis also works on behalf of 200 SAP customers ranging from Daimler to Siemens to Westinghouse and the U.S. Army.

To find out what SAP’s CEO has to say about the economy, watch:

One major SAP customer who was subject to multiple attacks related to the flaw said that the software—originally created to help programmers rapidly test new features—had left open a backdoor to his organization’s inner workings.

When challenged about the issue, SAP’s initial response was to tell him, “‘This isn’t a vulnerability. It’s a feature. If you don’t like it you should turn it off’,” said the customer, who asked not to be named due to commercial sensitivities.

Google, the company behind Android software used to power three-quarters of the world’s smartphones, also issues regular security patches.

But just as is the case with SAP, phone makers and network operators must decide when to update their software, a gap that has left hundreds of millions of Android phone users vulnerable to widely known threats. U.S. regulators this week said they were investigating the roadblocks to more timely security updates for phone users.

About the Author
By Reuters
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

How foodservice giant Sodexo is embracing AI and robotics to reshape the kitchen
NewslettersCIO Intelligence
How foodservice giant Sodexo is embracing AI and robotics to reshape the kitchen
By John KellJuly 1, 2026
6 hours ago
Anthropic CEO Dario Amodei
AIAnthropic
Anthropic’s AI models are back online after a two-week government standoff—settling the company and administration into a fragile truce
By Tristan BoveJuly 1, 2026
7 hours ago
Nikesh Arora, chief executive officer at Palo Alto Networks
SuccessJobs
CEO of $248 billion cybersecurity company says workers are about to face a ‘Darwinian moment’ thanks to AI: Evolve or get cut
By Emma BurleighJuly 1, 2026
8 hours ago
Current price of Ethereum for July 1, 2026
Personal FinanceEthereum
Current price of Ethereum for July 1, 2026
By Joseph HostetlerJuly 1, 2026
10 hours ago
In this photo illustration, a Cisco logo is displayed on a smartphone with Artificial Intellingence (AI) symbols in the background.
AICFO Daily
Cisco is rolling out AI agents to every single one of its 90,000 employees
By Sheryl EstradaJuly 1, 2026
10 hours ago
senate
CommentaryCongress
One rare bipartisan AI bill is moving through Congress. Here’s why it deserves to pass
By Neil Björkman and Betsy BrewerJuly 1, 2026
12 hours ago

Most Popular

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
Success
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
By Sydney LakeJune 25, 2026
7 days ago
As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
Big Tech
As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
By Marco Quiroz-GutierrezJuly 1, 2026
16 hours ago
Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster
Success
Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster
By Preston ForeJune 27, 2026
5 days ago
The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win
Newsletters
The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win
By Diane BradyJuly 1, 2026
14 hours ago
Elon Musk on MacKenzie Scott giving away $26 billion of her fortune: 'Sadly,' it makes the world a worse place
Success
Elon Musk on MacKenzie Scott giving away $26 billion of her fortune: 'Sadly,' it makes the world a worse place
By Sydney LakeJune 29, 2026
2 days ago
The U.S. Army is opening military bases to private billions — here's why that changes everything for the next 250 years
Commentary
The U.S. Army is opening military bases to private billions — here's why that changes everything for the next 250 years
By Marc AndersenJune 30, 2026
1 day ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.