An attacker can misuse PwC ACE security vulnerability in order to: – make changes to the production systems and their settings including manipulating or corrupting ABAP programs shipped by SAP and making the system and data inoperable; – plant an SAP backdoor for accessing the system and sensitive data later; and – shut down the SAP systems and cause downtime.
Apparently PwC tried to shut these researchers up by sending lawyers at them, instead of working together to close the holes. Before this blew into a court case, the researchers have gone full disclosure. The people at PwC need to learn that security is something that can’t be hidden – if these guys found the holes, someone else will too. Working together with people trying to help you out is a much better strategy than threatening them.