On Tuesday, SAP announced the release of essential security updates, including two critical patches, as part of its February 2026 update cycle. These updates address vulnerabilities in key SAP platforms, including CRM, S/4HANA, and NetWeaver, highlighting the ongoing need for robust cybersecurity measures.
Critical Vulnerabilities in SAP Systems
Among the most significant updates is a patch for CVE-2026-0488, a severe code injection vulnerability with a CVSS score of 9.9. This flaw affects the Scripting Editor component in SAP’s CRM and S/4HANA applications. Authenticated users exploiting this vulnerability can run arbitrary SQL commands, potentially compromising the database’s confidentiality, integrity, and availability.
Another major update addresses CVE-2026-0509, a missing authorization check in the NetWeaver Application Server ABAP and ABAP Platform. This issue, rated at 9.6 on the CVSS scale, allows users with low privileges to execute remote function calls under certain conditions without necessary authorizations, posing a substantial security risk.
Additional High-Severity Patches
SAP’s February update also includes seven high-severity security notes. These cover various vulnerabilities across platforms such as NetWeaver, Supply Chain Management, and Commerce Cloud. Notably, an XML signature wrapping flaw in NetWeaver could permit attackers to send signed XML documents that might expose sensitive information and disrupt system operations.
Other high-severity issues resolved include a missing authorization check, a race condition, an open redirect, and multiple denial-of-service vulnerabilities. These patches are crucial for maintaining the secure operation of SAP environments.
Advice for SAP Users
In addition to the critical and high-severity patches, SAP has addressed several medium- and low-severity issues in its February release. These affect systems like BusinessObjects, Document Management, and Fiori App, among others. Despite no known active exploitation of these vulnerabilities, SAP advises all users to apply these updates promptly to safeguard their systems against potential threats.
Keeping software updated is a critical component of cybersecurity. Organizations using SAP products should prioritize these updates to mitigate risks associated with these vulnerabilities.
For further insights into cybersecurity, related discussions include BeyondTrust’s recent vulnerability patch and ongoing threats from cybercriminals exploiting known software flaws.
