SAP Security Patch Day January 2026

Posted on By CWS

SAP launched 17 new safety notes on January 13, 2026, as a part of its month-to-month Safety Patch Day, addressing important injection flaws and distant code execution vulnerabilities throughout key merchandise.

No updates addressed prior notes, urging organizations to behave swiftly on the 4 HotNews-level vulnerabilities.​

4 important points dominate this patch cycle, with CVSS scores reaching 9.9, indicating extreme impacts equivalent to full-system compromise. Attackers might exploit these remotely, usually with low privileges, to control information or execute code throughout scopes.​

Essentially the most urgent situation is SQL injection in SAP S/4HANA Non-public Cloud and On-Premise Financials – Common Ledger (CVE-2026-0501), the place authenticated, low-privilege customers can inject arbitrary SQL queries, compromising the confidentiality, integrity, and availability of monetary information.

Distant code execution strikes SAP Wily Introscope Enterprise Supervisor Workstation (CVE-2026-0500), permitting unauthenticated attackers with person interplay to grab management.

Code injection flaws hit SAP S/4HANA (CVE-2026-0498) and Panorama Transformation (CVE-2026-0491), each with a CVSS rating of 9.1, letting high-privilege customers inject and run malicious code remotely.​

Notice #CVE IDProductAffected VersionsCVSS v3.1Priority3687749​CVE-2026-0501​S/4HANA (Financials – Common Ledger)​S4CORE 102-109​9.9​Important​3668679​CVE-2026-0500​Wily Introscope Enterprise Supervisor​WILY_INTRO_ENTERPRISE 10.8​9.6​Important​3694242​CVE-2026-0498​S/4HANA (Non-public Cloud/On-Premise)​S4CORE 102-109​9.1​Important​3697979​CVE-2026-0491​Panorama Transformation​DMIS 2011_1_700 to 2020​9.1​Important​

Excessive and Medium Dangers

Excessive-priority notes embrace privilege escalation in SAP HANA (CVE-2026-0492, CVSS 8.8), letting low-privilege customers achieve full database management, and OS command injection in ABAP servers (CVE-2026-0507, CVSS 8.4).

Lacking authorizations in NetWeaver ABAP (CVE-2026-0506, CVSS 8.1) and Fiori apps (CVE-2026-0511 et al., CVSS 8.1) expose integrity and information leaks.​

Medium points cowl XSS in NetWeaver Portal (CVE-2026-0499, CVSS 6.1) and Enterprise Connector (CVE-2026-0514), open redirects, CSRF, and data disclosures in Fiori and SRM, all with community attain. Low-severity fixes deal with weak JNDI enter and out of date encryption in Id Administration and NW Java.​

Notice #CVE IDProductCVSS v3.1Priority3691059​CVE-2026-0492​SAP HANA​8.8​Excessive​3675151​CVE-2026-0507​ABAP/NetWeaver RFCSDK​8.4​Excessive​3688703​CVE-2026-0506​NetWeaver ABAP​8.1​Excessive​3565506​CVE-2026-0511​Fiori (Intercompany)​8.1​Excessive​

Directors should patch important notes instantly, SQL injection and RCE inside 24 hours, and code injections urgently to avert breaches in finance and monitoring instruments.

Check patches in staging environments first, prioritizing S/4HANA and HANA deployments widespread in enterprises. SAP stresses reviewing notes on the Help Portal and layering defenses like community segmentation till updates apply.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , ,

Related Posts

CISA and NSA Warns of BRICKSTORM Malware Attacking VMware ESXi and Windows Environments Cyber Security News
VexTrio TDS System Developing Several Malicious Apps Mimic as VPNs to Publish in Google Play and App Store Cyber Security News
Aembit Named to Rising in Cyber 2025 List of Top Cybersecurity Startups Cyber Security News
Windows Remote Access Connection Manager Vulnerability Enables Arbitrary Code Execution Cyber Security News
SVG Security Analysis Toolkit to Detect Malicious Scripts Hidden in SVG files Cyber Security News
ChatGPT Tricked Into Bypassing CAPTCHA Security and Enterprise Defenses Cyber Security News