Hackers are exploiting a security vulnerability in SAP business software that dates back to 2010.
The US Computer Emergency Response Team (US-CERT) has warned that at least 36 enterprises are at risk of attack if they're running outdated or misconfigured SAP software.
The problem was uncovered by Onapsis, a firm that specialises in securing SAP and Oracle business applications.
One of the companies at risk is a top-10 highest annually grossing global enterprise, and more than a dozen of the affected companies generate over $10bn in annual revenue.
Onapsis refused to name any of the potentially affected firms, Reuters reported, but said that it found customers in the US, UK, China and Germany.
"We regard these [known victims] as just the tip of the iceberg, as well as an irrefutable answer to the question: 'Are SAP applications being attacked?'" Onapsis said in its report.
The US-CERT alert released on Wednesday warned that a hacker who exploited the vulnerability could gain full access to an affected SAP platform, giving them "control of the business information and processes on these systems, as well as potential access to other systems".
Mariano Nunez, chief executive of Onapsis, said: "This is not a new vulnerability. Still, most SAP customers are unaware that this is going on."
SAP explained that the vulnerable feature was fixed in a software update six years ago. "All SAP applications released since then are free of this vulnerability," the company said in an emailed statement, cited by Reuters.
However, SAP acknowledged that these changes were known to break, or disable, customised software developments that many customers had implemented using older versions of SAP's programming language.
US-CERT urged administrators to scan systems for vulnerabilities and apply the appropriate fixes ASAP.
To hear more about security challenges, the threats they pose and how to combat them, sign up for V3 sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
93 per cent of UK homes and businesses can now use 24Mbps+ broadband
1.9 trillion yen offer by WD-led consortium falls short of Toshiba's demands - but may be accepted anyway
Banking Trojan that 'wreaked havoc' in Europe and the US in 2014 may have absorbed NSA exploits to spread via network security flaws, not just phishing
Leaks in the run-up to Samsung Galaxy Note 8 launch pretty much gave it all away