A major vulnerability in popular enterprise resource planning (ERP) software has enabled threat actors to compromise at least 62 colleges in the United States, the US Department of Education recently warned. A NIST advisory states that the flaw, tracked as CVE-2019-8978, impacts Ellucian Banner ERP and “allows remote attackers to steal a victim’s session (and cause a denial of service).”
According to the education department, threat actors are using the flaw to create fake student accounts in the admissions or enrollment sections of the vulnerable system. Over the course of a few days, thousands such accounts were created, some of which “appear to be leveraged almost immediately for criminal activity,” the education department stated.
