SAP's AI Core platform has some worrying security flaws, so patch now

SAP logo on smartphone
(Image credit: Shutterstock / rafapress)

SAP’s AI Core platform carried multiple vulnerabilities that allowed threat actors to steal access tokens and sensitive customer information, experts have warned.

AI Core is a service in the SAP Business Technology Platform that helps the execution and operations of predictive artificial intelligence (AI) workflows in a standardized and scalable way. It was built to seamlessly integrate with other SAP solutions, and allows any AI function to be easily realized using open-source frameworks. 

In total, there were five flaws, discovered by Wiz, which gave them an umbrella term - SAPwned - and explained how threat actors could leverage them.

No victims (yet)

"The vulnerabilities we found could have allowed attackers to access customers' data and contaminate internal artifacts – spreading to related services and other customers' environments," they told The Hacker News.

In other words, hackers could have stolen the credentials to people’s Amazon Web Services (AWS) instances, Microsoft Azure, as well as the SAP HANA Cloud. 

Furthermore, the vulnerabilities allow hackers to modify Docker images, or artifacts on the SAP Artifactory, an ability that could have been used in supply chain attacks. Finally, SAPwned could have been leveraged to gain admin access to SAP AI Core’s Kubernetes cluster. "Using this access level, an attacker could directly access other customer's Pods and steal sensitive data, such as models, datasets, and code," the researchers further stated. "This access also allows attackers to interfere with customer's Pods, taint AI data and manipulate models' inference."

The researchers tipped SAP off in late January 2024, and the company came back with a patch in mid-May. Wiz confirmed that no customer data was compromised by the flaws, suggesting that the researchers found the vulnerabilities before any malicious groups. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of digital security.
Identifying the evolving security threats to AI models
API
Businesses are being plagued by API security risks - with nearly 99% affected
An abstract image of digital security.
Three tactics to creating a more secure supply chain
Avast cybersecurity
Rise of AI is causing many firms to worry about their cybersecurity
Representational image of a hacker
The 10 worst software disasters of 2024: cyberattacks, malicious AI, and silent threats
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead