SAP security specialists ERPScan, the firm that discovered the SAP-probing variant of the Shiz Trojan, reckons 3,400 SAP systems are exposed online (the difference in figures is because Rapid7 is only looking at web-based systems, according to ERPScan). However this isn't even the worst of the problem with insecure ERP systems. See full article here
What is more critical is that almost 5,000 SAP routers are published on the internet and 85 per cent of them are vulnerable to remote code execution. Thousands of other services are also exposed - at least 10,000 were found during some scans but it's very hard to calculate the full number.
Alexander Polyakov, CTO and co-founder of ERPScan, for El Reg.
The latest annual survey (PDF) into the state of SAP security by ERPScan found that the most popular release SAP release is still NetWeaver 7.0, which was released in 2005 but still commands 35 per cent of the market. The general state of SAP security is getting worse, ERPScan concludes.
Old issues are being patched, but a lot of new systems have vulnerabilities. SAP acquires new companies and invents new technologies faster than researchers analyse them.
according to the ERP security specialists.