SAP Security Patch Day - Critical SAP CRM and SAP S/4HANA Code Injection Vulnerabilities Fixed - CyberSecurityNews

Home Cyber Security News SAP Security Patch Day – Critical SAP CRM and SAP S/4HANA Code... SAP Security Patch Day Fixed SAP CRM and SAP S/4HANA SAP’s February 2026 Security Patch Day delivered fixes that SAP urges customers to prioritize to reduce exposure across core enterprise workloads. The release includes 26 new SAP Security Notes and one update to a previously published note. SAP’s monthly bulletin is a remediation guide for vulnerabilities identified in SAP products, with an explicit recommendation to review the Support Portal and apply patches promptly to protect the SAP landscape. The highest-risk issue identified is CVE-2026-0488, a code-injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) that allows authenticated, low-privilege users to inject and execute arbitrary code with cross-scope impact, and is associated with SAP Note 3697099 (CVSS 9.9). From an attack-chain perspective, this class of flaw is especially dangerous in SAP landscapes because it can convert “business user” access into application-layer execution, enabling lateral movement into tightly coupled modules and integrations. A second critical item, CVE-2026-0509, is a missing authorization check in SAP NetWeaver Application Server ABAP / ABAP Platform that can enable low-privilege authenticated users to bypass authorization controls (SAP Note 3674774; CVSS 9.6). Among the high-severity set, CVE-2026-23687 (XML Signature Wrapping) in SAP NetWeaver AS ABAP / ABAP Platform is highlighted as a risk for signature-manipulation scenarios that can undermine trust decisions in XML-based flows. Availability also features prominently: CVE-2026-23689 affects SAP Supply Chain Management and is described as uncontrolled resource consumption, where an authenticated user can repeatedly invoke a remote-enabled function module using an excessively large loop-control parameter, exhausting system resources until the service becomes unavailable. CVE ID Note # Severity CVSS Product Title CVE-2026-0488 3697099 Critical 9.9 SAP CRM & S/4HANA (Scripting Editor) Code Injection vulnerability​ CVE-2026-0509 3674774 Critical 9.6 SAP NetWeaver AS ABAP & ABAP Platform Missing Authorization check​ CVE-2026-23687 3697567 High 8.8 SAP NetWeaver AS ABAP & ABAP Platform XML Signature Wrapping​ CVE-2026-23689 3703092 High 7.7 SAP Supply Chain Management Denial of Service (DOS)​ CVE-2026-24322 3705882 High 7.7 SAP Solution Tools Plug-In (ST-PI) Missing Authorization check​ CVE-2026-0490 3654236 High 7.5 SAP BusinessObjects BI Platform Denial of Service (DOS)​ CVE-2026-0485 3678282 High 7.5 SAP BusinessObjects BI Platform Denial of Service (DOS)​ CVE-2025-12383 3692405 High 7.4 SAP Commerce Cloud Race Condition​ CVE-2026-0508 3674246 High 7.3 SAP BusinessObjects BI Platform Open Redirect vulnerability​ CVE-2026-0484 3672622 Medium 6.5 SAP NetWeaver AS ABAP & S/4HANA Missing Authorization check​ CVE-2026-24324 3695912 Medium 6.5 SAP BusinessObjects BI Platform (AdminTools) Denial of Service (DOS)​ CVE-2026-0505, CVE-2026-24323 3678417 Medium 6.1 SAP Document Management System Multiple vulnerabilities in BSP Applications​ CVE-2026-24328 3688319 Medium 6.1 BSP Application (TAF_APPLAUNCHER) Open Redirection vulnerability​ CVE-2025-0059 3503138 Medium 6.0 SAP NetWeaver AS ABAP (SAP GUI for HTML) Information Disclosure (Update to Jan 2025 Note)​ CVE-2026-23684 3689543 Medium 5.9 SAP Commerce Cloud Race condition vulnerability​ CVE-2026-24319 3679346 Medium 5.8 SAP Business One (B1 Client Memory Dump) Information Disclosure Vulnerability​ CVE-2026-24321 3687771 Medium 5.3 SAP Commerce Cloud Information Disclosure vulnerability​ CVE-2026-24312 3710111 Medium 5.2 SAP Business Workflow Missing authorization check​ CVE-2026-0486 3691645 Medium 5.0 ABAP based SAP systems Missing Authorization Check​ CVE-2026-24325 3697256 Medium 4.8 SAP BusinessObjects Enterprise (CMC) Cross-Site Scripting (XSS)​ CVE-2026-23685 3687285 Medium 4.4 SAP NetWeaver (JMS service) Insecure Deserialization​ CVE-2026-23688 3215823 Medium 4.3 SAP Fiori App (Manage Service Entry Sheets) Missing Authorization check​ CVE-2026-23681 3680416 Medium 4.3 SAP Support Tools Plug-In Missing Authorization check in function module​ CVE-2026-24326 3678009 Medium 4.3 SAP S/4HANA Defense & Security Missing authorization check​ CVE-2026-24327 3680390 Medium 4.3 SAP Strategic Ent. Mgmt (Balanced Scorecard) Missing Authorization Check​ CVE-2026-23686 3673213 Low 3.4 SAP NetWeaver AS Java CRLF Injection vulnerability​ CVE-2026-24320 3678313 Low 3.1 SAP NetWeaver & ABAP Platform (AS ABAP) Memory Corruption vulnerability​ The same Patch Day coverage also flags multiple denial-of-service and redirect/XSS-style issues in SAP BusinessObjects BI Platform and related components, reinforcing that externally reachable or user-facing endpoints deserve extra scrutiny during triage. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Exploiting Magento to Execute Remote Code and Gain Complete Account Access Cyber Security News Multiple TP-Link Vulnerabilities Allow Attackers to Execute Arbitrary Commands on System Cyber Security News Russian Initial Access Broker Sentenced to Prison for Enabling Ransomware Attacks on U.S. Firms Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026