Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
SAP weak/predictable user credentials - Vulnerability Database

SAP weak/predictable user credentials

Description

Exploiting weak/predictable user credentials is one of the most common and successful attack scenarios used against SAP systems. During the installation, SAP systems create the standard users SAP*, DDIC and EARLYWATCH. Invicti tried the default passwords for these standard users (and other commonly used SAP users) and managed to guess a set of credentials that were accepted by the SAP system.

Remediation

To protect standard SAP users from unauthorized use: <br/> <ul> <li>Define a new superuser and deactivate SAP*.</li> <li>Change all of the default passwords for these users.</li> </ul>

References

SAP - Protecting Standard Users
How to Configure WEB-GUI for SAP
How to configure Your SAP GUI HTML for Web Access

Related Vulnerabilities

Weak password High
Common tags: Information Disclosure Configuration Weak Credentials
Web application default/weak credentials High
Common tags: Information Disclosure Configuration Weak Credentials
WebLogic admin console weak credentials High
Common tags: Information Disclosure Configuration Weak Credentials
Jenkins weak password High
Common tags: Information Disclosure Configuration Weak Credentials
IBM WebSphere administration console weak password High
Common tags: Information Disclosure Configuration Weak Credentials

Severity

High

Classification

CWE-200
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure
Configuration
Weak Credentials