Security Experts:

Connect with us

Hi, what are you looking for?



Rapid7 Outlines SAP Attack Vectors for Pen Testers

Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.

Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.

Hoping to build on the awareness, researchers at Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP systems.  

“As criminals get smarter about ERP systems, I have no doubt they’ll use that to their advantage,” said Todd Beardsley, Metasploit Engineering Manager at Rapid7. “This is why we’re trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP, so Metasploit is striving to level the playing field between attackers and defenders.”

As part of its research, Rapid7 discovered approximately 3,000 SAP systems directly exposed to the Internet. Systems covered by SAP run the gamut from ERP to customer relationship management (CRM) and product lifecycle management (PLM) systems, Rapid7 noted, meaning that comprising them could spell disaster.  

Oftentimes, attackers will try to get access to SAP systems through a compromised host on the target network; for example compromising a desktop computer through a spear-phishing email. In the report, Rapid7 runs through a number of attack vectors, such as attacking SOAP (Simple Object Access Protocol) remote function calls and bruteforcing the SAP Web GUI login with Metasploit.

“It is hard to imagine any type of important data that is not stored and processed in these systems,” according to the report. “Targeting SAP systems should therefore be part of every penetration test that simulates a malicious attack on an enterprise to mitigate espionage, sabotage and financial fraud risks. The challenge is that many penetration testers are more familiar with operating systems, databases, and web applications, so descending into the world of SAP systems can be daunting.”

Many of the vulnerabilities Rapid7 sees are related to abusing functions of the SAP platform in order to get profit and or abuse configuration issues and weaknesses, explained Juan Vazquez, Rapid7 Exploit Developer. Similar to other big software, there are also issues related to programming errors when handling input, like buffer overflows, he added.

“SAP is complex software that’s often treated like a black box from a security perspective; we believe that very few security organizations have a firm grasp on their SAP infrastructure,” Beardsley noted. “That’s why we wrote the paper in the first place, to educate both pen-testers and users of this software to these rather large question marks.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet