The bug could be exploited by an external attacker to remotely obtain the list of SAP users from the system, Quenta Solutions’ Sergiu Popa, who SAP acknowledged to have reported the vulnerability, says.

“This service is actually an example of application to create a time-off request. This service should not be activated in production systems, however, it’s installed by default and, in reality, few SAP customers disable the component,” ERPScan founder Alexander Polyakov explains.