ERPScan, the ERP security specialist firm which originally discovered the misconfiguration flaw (research pdf here), said that Onapsis’s figures on exposure to the vulnerability are optimistic by more than an order of magnitude.

Alexander Polyakov, CTO at ERPScan, told El Reg that its research suggests as many as 533 organisations are at risk.

“Onapsis said that 36 organizations were actually breached,” Polyakov told El Reg. “Our assumption is that all of them were just examples of vulnerable systems which white-hats publish on their forum.”

“Onapsis’ assumption that those publications on Chinese forum are examples of cyberattacks is wrong. I agree with them is that there are many vulnerably systems (533 at least) and some people probably hacked them for real profit. Not just published a screenshot of potential deface but really performed [a} cyberattack.”

Source: 36 firms at risk from that unpatched 2010 SAP vuln? Try 500+