Cybersecurity company Rapid7 announced Wednesday that it found several security vulnerabilities in the Sage X3 ERP software.
According to Rapid7, four gaps in security were found by company researchers. The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application vulnerabilities.
Rapid7 advises that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company stated that this effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.
Sage has been made aware of the vulnerabilities and has taken immediate steps to remedy them.
“Sage takes the security of its customer solutions extremely seriously, and regularly undertakes proactive testing across its products to identify potential vulnerabilities and provide fixes,” a spokesperson for the company told Accounting Today. “We are grateful to Rapid7, who recently made us aware of a vulnerability in our on-premises Sage X3 product. Sage and our partners have issued a fix for the vulnerability, contacted all applicable customers, and advised them on the onward process.”
Following the recent cyberattacks on Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is often used for supply chain management in medium and large organizations, which could make it a target for this particular flavor of cybercriminal.
Sage will automatically apply the fix to Sage X3 customers’ environments as part of its standard maintenance. More information can be found
