On May 11, 2016, US-CERT has released an alert of vulnerability in SAP business applications. This vulnerability was first identified back in 2010 and a patch was also released at the same time. This vulnerability was being leveraged to exploit the SAP Systems of many huge organizations.
The question arises that if this vulnerability was patched five years ago, why releasing an alert again?
To answer that question, we have to refer a research report of Onapsis which indicates the exploitation of the same vulnerability in over 36 organizations’ SAP System. Report indicates the misuse of Invoker Servlet, built in functionality of SAP java platform. The prime reason of the exploit was that SAP systems were still outdated or misconfigured which led to the abuse of this vulnerability.