After Heartbleed and POODLE, organizations relying on software from SAP SE to power their operations now have a new exploit to worry about that poses a potentially even bigger threat. The vulnerability lies in the way business data is handled when traveling across the network.

The German business intelligence powerhouse employs a proprietary implementation of the popular Lempel-Ziv-Thomas (LZC) and Lempel-Ziv-Huffman (LZH) compression algorithms to reduce the amount of bits moving around, which in itself doesn’t represent anything out of the ordinary. The problem starts when it’s time to convert that data back into a format that the software is able to read.

As Martin Gallo of Core Security Consulting Services Inc. revealed in the recently published memo detailing his discovery of the exploit, the code that handles the decompression process can accept input with more bits than the variables used to store the information are capable of containing. That creates an opening for hackers to reach deep into the inner workings of the targeted system.

The nature of the vulnerability is such that input continues to be ingested even after the allocated space runs out, which causes the bits to spill over into adjacent memory where other information is often already stored. That usually causes the affected program to crash, but in this case, a request can continue overwriting existing data until reaching the control logic used to manage the decompression process.

A sharp-eyed hacker could take advantage of the flaw to replace the vulnerable section with malicious code that would enable them to subvert the program, control that Gallo’s report shows can be exploited in a wide variety of ways. Since all of SAP’s core products are affected, attackers have the choice of compromising a back-end database with an oversized request, targeting client software installed on users’ desktops or simply intercepting unencrypted traffic between the two and injecting their malware there.

The potential impact can range from denial-of-service to data theft, which is especially alarming given that SAP’s software is most often used to power critical processes such as finance and human resources. The business intelligence giant has already issued a patch to fix the vulnerability, but that may not be much consolation to the tens of millions of people whose information is potentially at risk.

A study of SAP customers from Onapsis Research published shortly before Gallo released his discovery found that a massive 95 percent of implementations suffer serious security vulnerabilities, in large part due to the failure of administrators to implement patches on time. That doesn’t shed a particularly good light on the quality of the company’s software, but does have one, albeit rather limited, upside.

The difficulty of protecting on-premise installations provides another reason for CIOs to start looking toward the hosted options that SAP has been pushing in recent years, which remove the burden of handling updates along with most of the other operational challenges found behind the firewall. The irony is that security concerns have long been one of the main reservations enterprises have about adopting the as-a-service model.