Insights
ERP security intelligence. Real incidents, practical analysis.
Field-based analysis of threats, vulnerabilities, and regulatory changes affecting ERP environments in Australia — across Microsoft Dynamics, Oracle, TechnologyOne, NetSuite, SAP and more.
Microsoft Dynamics 365
Dynamics 365 CVE-2026-42898: A CVSS 9.9 RCE That Turns Your CRM Into a Remote Execution Platform
Microsoft's May 2026 Patch Tuesday included a critical code injection vulnerability in Microsoft Dynamics 365 On-Premises — CVE-2026-42898 — rated CVSS 9.9, one of the highest severity scores issued for a business application in recent memory. The flaw allows an authenticated attacker with low privileges to execute arbitrary code over the network by manipulating process session data within Dynamics CRM. No user interaction is required. A second Dynamics 365 vulnerability patched in the same release, CVE-2026-42833 (CVSS 9.1), allows an authorised attacker to execute code over a network and gain the ability to interact with other tenants' applications — a particularly dangerous capability in multi-tenant environments. These vulnerabilities follow a broader trend: Azure and Dynamics 365 experienced a nine-times increase in critical vulnerabilities in 2025 compared to the prior year, according to BeyondTrust's 2026 Microsoft Vulnerabilities Report.
Full white paper available
ERP Penetration Testing: Application-Layer Risk Across Microsoft Dynamics 365
Oracle Cloud / ERP broadly
Oracle's Three 2025 Breaches: The Shared Responsibility Gap Every Cloud ERP Customer Is Carrying
In 2025, Oracle became the subject of three separate security incidents affecting over 140,000 cloud tenants. The first exploited CVE-2021-35587 — a critical Oracle Access Manager vulnerability on CISA's Known Exploited Vulnerabilities list since 2022 — against infrastructure last updated in 2014. The second saw the Clop ransomware group exploit a zero-day in Oracle E-Business Suite (CVE-2025-61882, CVSS 9.8), quietly exfiltrating data for weeks before launching a mass extortion campaign. A third compromised Oracle's Cerner healthcare server environment. In each case the root cause was not a sophisticated novel attack — it was unpatched infrastructure, outdated middleware, and insufficient monitoring of systems that were assumed to be someone else's responsibility to secure.
Full white paper available
Cloud ERP Shared Responsibility: The Configuration Gaps Australian Organisations Are Missing
TechnologyOne / NetSuite
When Australian ERP Vendors Get Breached: TechnologyOne, NetSuite, and the Assessment Gap in Councils and Government
TechnologyOne — Australia's largest enterprise software company, with over 1,300 customer organisations including local councils, universities, state agencies, and hospitals — confirmed a cyberattack on its internal Microsoft 365 back-office systems. The incident halted ASX trading and raised questions about the security of customer data across one of Australia's most widely deployed government ERP platforms. Separately, cybersecurity researchers at AppOmni identified thousands of Oracle NetSuite SuiteCommerce sites leaking sensitive customer data due to misconfiguration of access controls — a finding that applied broadly to NetSuite customers using its e-commerce module without proper permission governance in place.
Full white paper available
ERP Security for Australian Government and Councils: A Practical Assessment Framework
Oracle / NetSuite / Workday
Browser Extensions, Identity Takeover, and the ERP Access Risk Nobody Is Governing
In January 2026, Infosecurity Magazine reported the discovery of malicious Google Chrome extensions specifically targeting users of Workday and NetSuite — two of the most widely deployed cloud HCM and ERP platforms globally. The extensions, available through the Chrome Web Store, were designed to harvest session credentials and intercept authenticated ERP sessions, giving attackers access to enterprise environments without needing to compromise the ERP platform itself. In March 2026, Oracle issued an emergency out-of-band security alert for CVE-2026-21992 (CVSS 9.8) — a pre-authentication remote code execution vulnerability in Oracle Identity Manager that enables a remote attacker to take over the identity management system governing access to Oracle Fusion ERP, HCM, and all connected enterprise applications.
Full white paper available
ERP Identity Architecture: Designing for Resilience When Identity Infrastructure Is the Target
Microsoft Copilot / Oracle AI / All ERP platforms
Microsoft 365 Copilot's Three Critical CVEs: What AI Integration Risks Look Like in Practice
On 7 May 2026, Microsoft disclosed three critical information disclosure vulnerabilities in Microsoft 365 Copilot — CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 — all carrying Critical severity ratings. The vulnerabilities affected Copilot Business Chat and Copilot Chat embedded in Microsoft Edge, with attack vectors that required no authentication and no user interaction. While Microsoft remediated the flaws server-side without requiring customer action, the disclosures confirm what security researchers have been flagging for months: AI tools connected to enterprise data stores create information disclosure risks that operate at a layer above traditional ERP and infrastructure security controls. Copilot's access to Microsoft 365 data — including Dynamics 365 financial and operational records, SharePoint documents, and email — means vulnerabilities in the AI layer translate directly into ERP data exposure.
Full white paper available
AI Integration and ERP Security: Governing Access, Data Exposure, and Audit Coverage
Stay ahead of ERP security threats.
We publish practical ERP security intelligence — not vendor marketing. New insights are added as the threat landscape evolves across all major ERP platforms.