Nation states, cybercriminals and hacktivist groups are attacking known vulnerabilities in common business software that can lead to losses of data, according to a new report.

Firms that use enterprise resource planning software, specifically from SAP and Oracle, are at ‘critical risk’ when not patched, according to a study released July 25.

Enterprise resource planning software is a goldmine of information because of the swaths of data it keeps, according to the report written by Digital Shadows, a software protection company, and Onapsis, a cyber risk organization. Examples of the software include products handling supply chain management, customer relationship management and business intelligence.

The software is vulnerable because “customers struggle to apply security patches,” the report said. “Many of the previously listed vulnerabilities that historically affected SAP and Oracle EBS applications can still be exploited. Exploits may be traded in criminal forums, in dark web marketplaces or within dedicated exploit sites.”

On the same day the report was released, the Department of Homeland Security warned that “an attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Although the flaws are known and the solution is a simple software update, the security gaps have been responsible for some of the most significant hacks of the government and private sector.

In August 2014, the largest provider of background investigations to the U.S. government, USIS, announced that it was hacked, apparently through a common SAP vulnerability.

In December of the same year, a Fortune 500 company suffered from an SAP sabotage hack, according to the report.

And, in May 2016, the Department of Homeland Security warned that at least 36 organizations worldwide are affected by an SAP flaw due to outdated or misconfigured software. The hack resulted in attackers gaining “full access to affected SAP systems.”