A critical flaw in a security tool built for SAP systems by PricewaterhouseCoopers can allow hackers to manipulate accounting and financial details of clients a latest research has claimed.

German security firm ESNC has found that the Automated Controls Evaluator (ACE), which extracts security and configuration data from an SAP system and generates exception reports by review has a high-risk flaw in its software.

"This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," ESNC said in an advisory.

The research goes on to state that if the flaw is exploited it could result in fraud, theft or manipulation of sensitive data including customer master data and HR payroll information, unauthorised payments and more.

The flaw as per the investigation affects version 8.10.304, but earlier versions may also be at risk. Hackers may be able to inject malware into the code systems both remotely or onsite which could allow the entire server to be bypassed.

PwC denies its software is flawed

PwC has denied any such flaw in its software and issued a statement saying, "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients, It is a hypothetical and unlikely scenario."

ESNC said that even though it had talks with PwC regarding the flaw, initially the company did not revert with an explanation. However, after some days it received a cease and desist letter from PwC's lawyers indicating that the company wants the security firm to back off from this research after which the firm decided to make the study public.