SAP Security Patch Day January 2026 Addresses Critical Injection and RCE Vulnerabilities - cyberpress.org

SAP Security Patch Day January 2026 Addresses Critical Injection and RCE Vulnerabilities By AnuPriya January 13, 2026 Categories: Cyber Security NewsCybersecurityVulnerabilities SAP released 17 new security notes on January 13, 2026, fixing critical vulnerabilities across widely deployed enterprise systems. The patch day includes four critical-severity flaws, including SQL injection, remote code execution, and code injection, that can compromise SAP environments via both authenticated and unauthenticated attack vectors. Critical Vulnerabilities Requiring Immediate Remediation The January patch cycle addresses several severe vulnerabilities targeting SAP’s core infrastructure. CVE-2026-0501 is the highest-severity flaw: a SQL injection vulnerability in SAP S/4HANA’s General Ledger module, with a CVSS score of 9.9. This vulnerability allows authenticated attackers to execute arbitrary SQL queries, directly compromising the integrity of financial data across S4CORE versions 102 through 109 in both private cloud and on-premise environments. A critical remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (CVE-2026-0500, CVSS 9.6) requires only minimal user interaction to trigger exploitation. This flaw enables attackers to gain system-level access without authentication, presenting a substantial risk to enterprise monitoring infrastructure in version 10.8 deployments. Code injection vulnerabilities have been reported in both SAP S/4HANA (CVE-2026-0498, CVSS 9.1) and SAP Landscape Transformation (CVE-2026-0491, CVSS 9.1), though both require high-privilege authentication. The HANA privilege escalation vulnerability (CVE-2026-0492, CVSS 8.8) and OS command injection in Application Server components (CVE-2026-0507, CVSS 8.4) complete the high-severity threat landscape. CVE ID Vulnerability Type Affected Product CVSS Score Severity CVE-2026-0501 SQL Injection SAP S/4HANA (General Ledger) 9.9 Critical CVE-2026-0500 Remote Code Execution SAP Wily Introscope Enterprise Manager 9.6 Critical CVE-2026-0498 Code Injection SAP S/4HANA (Private Cloud/On-Premise) 9.1 Critical CVE-2026-0491 Code Injection SAP Landscape Transformation 9.1 Critical CVE-2026-0492 Privilege Escalation SAP HANA Database 8.8 High CVE-2026-0507 OS Command Injection SAP Application Server ABAP/NetWeaver RFCSDK 8.4 High CVE-2026-0511 Multiple Vulnerabilities SAP Fiori App (Intercompany Balance Reconciliation) 8.1 High CVE-2026-0506 Missing Authorization Check SAP NetWeaver Application Server ABAP 8.1 High CVE-2026-0503 Missing Authorization Check SAP ERP/S/4HANA (EHS Management) 6.4 Medium CVE-2026-0499 Cross-Site Scripting (XSS) SAP NetWeaver Enterprise Portal 6.1 Medium CVE-2026-0514 Cross-Site Scripting (XSS) SAP Business Connector 6.1 Medium CVE-2026-0513 Open Redirect SAP Supplier Relationship Management 4.7 Medium CVE-2026-0494 Information Disclosure SAP Fiori App (Intercompany Balance Reconciliation) 4.3 Medium CVE-2026-0493 Cross-Site Request Forgery (CSRF) SAP Fiori App (Intercompany Balance Reconciliation) 4.3 Medium CVE-2026-0497 Missing Authorization Check Business Server Pages Application 4.3 Medium CVE-2026-0504 Insufficient Input Handling SAP Identity Management 3.8 Low CVE-2026-0510 Obsolete Encryption Algorithm NW AS Java UME User Mapping 3.0 Low Beyond the critical flaws, the patch cycle addresses multiple authorization-bypass vulnerabilities across NetWeaver Application Server (CVE-2026-0506, CVSS 8.1) and EHS Management systems (CVE-2026-0503, CVSS 6.4). These authorization weaknesses could facilitate privilege escalation through authenticated access pathways. Application-level vulnerabilities include cross-site scripting flaws in Enterprise Portal (CVE-2026-0499, CVSS 6.1) and Business Connector (CVE-2026-0514, CVSS 6.1), as well as cross-site request forgery affecting the Fiori Intercompany Balance Reconciliation app (CVE-2026-0493, CVSS 4.3). Lower-severity vulnerabilities encompassing information disclosure, open redirects, and deprecated encryption implementations complete the vulnerability set. SAP strongly recommends prioritizing patches addressing critical-severity vulnerabilities, particularly those affecting S/4HANA and Wily Introscope environments. Organizations should consult SAP’s support portal for patch availability and deployment guidance tailored to their specific installed versions and system configurations. Rapid remediation of these vulnerabilities is essential given their potential impact on core enterprise financial and monitoring systems. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles How to Find an Affordable, Easy to Deploy PAM in 2026 (and What to Avoid)  Technology March 16, 2026 Cyberattack Targets Poland’s Nuclear Research Center, Investigation Underway Cyber Attack March 16, 2026 Betterleaks: New Open-Source Tool for Scanning Files, Directories, and Git Repositories Cyber Security News March 16, 2026 Android 17 Launches Advanced Protection Mode to Stop Malicious Service Exploits Cyber Security News March 16, 2026 Google Looker Studio Vulnerabilities Enable Attackers to Exfiltrate Data from Google Services Cyber Security News March 16, 2026 Related Stories Cyber Attack Cyberattack Targets Poland’s Nuclear Research Center, Investigation Underway AnuPriya - March 16, 2026 Cyber Security News Betterleaks: New Open-Source Tool for Scanning Files, Directories, and Git Repositories AnuPriya - March 16, 2026 Cyber Security News Android 17 Launches Advanced Protection Mode to Stop Malicious Service Exploits AnuPriya - March 16, 2026 Cyber Security News Google Looker Studio Vulnerabilities Enable Attackers to Exfiltrate Data from Google Services AnuPriya - March 16, 2026 Cyber Security News Real-Time Phishing Campaigns Use Fake Shipment Alerts To Steal Banking Data In MEA Varshini - March 16, 2026 Cyber Security News Indirect Prompt Injection Attacks Cause OpenClaw AI Agents to Leak Sensitive Data AnuPriya - March 16, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: