The US’s Department of Homeland Security issued an alert citing that study as well, according to a recent report by Reuters.
The report by the security firms says that systems at two government agencies of the US and at firms in the media, energy and finance sectors were hit as they failed to install patches or took other security measures advised by Oracle or SAP.
While many of the security issues of the ERP systems by the two technology vendors date back a decade or more, cyber criminals, hacker activists, and government spy agencies are increasingly interested in them, Onapis was quoted as saying in a Reuters report.
An alert by the US’s National Cybersecurity and Communications Integration Center says an attacker can exploit such vulnerabilities to access sensitive information without being detected.
Onapsis and Digital Shadows said in their report that about 17,000 SAP and Oracle software installations exposed to the Internet at more than 3,000 large firms, government agencies and universities.
At least 10,000 servers run incorrectly configured software that could expose them to direct attacks using known SAP or Oracle exploits, the report adds.
While the number of known bugs that pose security threats is huge among SAP and Oracle applications especially older ones, organizations might find them costly to fix, the report says, adding that there more than 4,000 such bugs in SAP software and 5,000 in Oracle software.