SAP has released its biggest batch of patches since 2012, including a fix for a vulnerability that has been open to exploitation since 2013.
The patches address 48 vulnerabilities in the widely used enterprise resource planning (ERP) software suite.
The flaw that has been unpatched since 2013 is a "missing authentication check-in" in SAP P4, according to ERPScan, a security company that focuses on ERP software.
The vulnerability was initially uncovered by Vahagn Vardanyan, a senior business applications security researcher at ERPScan.
"Initially, the patch to close this issue in the old P4 versions was released in 2012. Later, based on the SAP Security Note, we wrote a special script to exploit this vulnerability during penetration testing," Vardanyan told V3.
"The script usually worked. We decided that SAP customers didn't implement the appropriate patch and recommended that they did so.
"But once our client claimed that they had installed the patch, the investigation revealed that the bug still affects the latest versions of the service. In March, we sent this issue to the vendor and now it's finally fixed."
Three of the 48 patches are described by SAP as 'high priority' and should be implemented immediately.
ERPScan noted in a blog post that the majority of the flaws patched this month are "switchable authorisation checks".
"By these patches, new switchable authorisation checks were implemented. By default, they are inactive to ensure compatibility with processes," the company said.
"In case the authorisation is automatically turned on. It can lead to business processes stoppage when an employee hasn't got access to the required functionality or documentation."
The post goes on to warn that implementing these patches is likely to require "a lot of manual work". SAP customers are advised to assign the authorisation rights to the corresponding users in accordance with corporate policies.
Mark Vartanyan was working for Norwegian e-healthcare firm Dignio when he was arrested
Samsung can't see a way to profitably compete against Amazon and Google
Fix being rushed out - but not quite as quickly as an ambulance to an emergency
Massive miner Rio Tinto claims 20 per cent of pit-to-port train kilometres in Australia are now driverless
Rio Tinto today, TfL tomorrow?