Thousands of SAP servers on the internet could be affected by vulnerabilities that bypass authentication checks, a researcher will demonstrate at Black Hat 2011.
Alexander Polyako, chief technology officer at ERPScan, found flaws in the J2EE engine of SAP NetWeaver software that could allow an attacker to assign themselves administrative privileges.
"For example, it is possible to create a user and assign to the administrators group using two unauthorised requests to the system," Polyako said.
"It is also dangerous because that attack is possible on systems protected by two-factor authentication."
The company demonstrated the vulnerabilities with a tool that searches for SAP servers with undisclosed keywords. It found that "more than half of [detected] servers could be hacked" using the vulnerability.
The vulnerabilities could affect many more SAP servers built with custom configuration, according to Polyako.