SAP Server - default credentials enabled

@ak1t4 reported that the Starbucks SAP server webgui was exposed to the internet with default TMSADM credentials. Although the risk was flagged as critical by the researcher, Starbucks security along with SAP security team performed an internal assessment on the risk and changed the severity to medium based on the following information: TMSADM does not have privileges for updating the configuration and did not have access to production data. All the data that was exposed with TMSADM account was limited to test data that was part of default installation. There was information disclosure of few internal server names through web pages but those machines are locked down from internal and external access. As part of the resolution, the default password was changed and access further restricted. Thanks @ak1t4!