Russian company ERPScan, which specialises in the security analysis of SAP systems, has published a report which shows that many organisations using those systems have vulnerable services exposed to the internet. Depending on the service in use, 5 to 25% of companies have vulnerable services exposed to the public. The security firm compiled the data by using a combination of Google searches and TCP port scans of more than a thousand companies from around the world. ERPScan says that "one of the goals of the research was to dispel the myth that SAP systems are secured from hackers and are only available from the internal network".
Insecure installations included those companies which exposed the vulnerable SAP Dispatcher service directly to the internet. In testing, ERPScan found that SAP Dispatcher could be accessed by logging in with default credentials. The service also suffers from multiple buffer overflows and a flaw which could lead to remote code execution. ERPScan recommend that it not be accessible from an external network, especially as exploit code was published on 9 May.