Wiz Research uncovers critical vulnerabilities in SAP AI Core, potentially exposing customer data and cloud environments to malicious actors. The research reveals that executing arbitrary code through AI training procedures allowed lateral movement and service takeover, granting access to sensitive customer files and cloud credentials.
Key findings: Wiz researchers gained privileged access to SAP AI Core’s internal assets by exploiting vulnerabilities, enabling them to:
Vulnerability chain: The attack began by bypassing network restrictions enforced by an Istio proxy sidecar. This provided access to several internal services that lacked additional authentication:
Broader implications: The research highlights the unique challenges of securing AI services, where executing arbitrary code is part of the standard training process. It demonstrates the importance of defense-in-depth and the pitfalls of perceiving internal networks as inherently trusted. Appropriate guardrails must be implemented to properly isolate untrusted AI workloads from internal assets and other tenants.
SAP addressed all reported vulnerabilities in cooperation with Wiz Research. The disclosure process spanned from January to July 2024.