SAP Security Patch Day January 2026 Addresses Critical Injection and RCE Vulnerabilities - cyberpress.org

SAP Security Patch Day January 2026 Addresses Critical Injection and RCE Vulnerabilities By AnuPriya January 13, 2026 Categories: Cyber Security NewsCybersecurityVulnerabilities SAP released 17 new security notes on January 13, 2026, fixing critical vulnerabilities across widely deployed enterprise systems. The patch day includes four critical-severity flaws, including SQL injection, remote code execution, and code injection, that can compromise SAP environments via both authenticated and unauthenticated attack vectors. Critical Vulnerabilities Requiring Immediate Remediation The January patch cycle addresses several severe vulnerabilities targeting SAP’s core infrastructure. CVE-2026-0501 is the highest-severity flaw: a SQL injection vulnerability in SAP S/4HANA’s General Ledger module, with a CVSS score of 9.9. This vulnerability allows authenticated attackers to execute arbitrary SQL queries, directly compromising the integrity of financial data across S4CORE versions 102 through 109 in both private cloud and on-premise environments. A critical remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (CVE-2026-0500, CVSS 9.6) requires only minimal user interaction to trigger exploitation. This flaw enables attackers to gain system-level access without authentication, presenting a substantial risk to enterprise monitoring infrastructure in version 10.8 deployments. Code injection vulnerabilities have been reported in both SAP S/4HANA (CVE-2026-0498, CVSS 9.1) and SAP Landscape Transformation (CVE-2026-0491, CVSS 9.1), though both require high-privilege authentication. The HANA privilege escalation vulnerability (CVE-2026-0492, CVSS 8.8) and OS command injection in Application Server components (CVE-2026-0507, CVSS 8.4) complete the high-severity threat landscape. CVE ID Vulnerability Type Affected Product CVSS Score Severity CVE-2026-0501 SQL Injection SAP S/4HANA (General Ledger) 9.9 Critical CVE-2026-0500 Remote Code Execution SAP Wily Introscope Enterprise Manager 9.6 Critical CVE-2026-0498 Code Injection SAP S/4HANA (Private Cloud/On-Premise) 9.1 Critical CVE-2026-0491 Code Injection SAP Landscape Transformation 9.1 Critical CVE-2026-0492 Privilege Escalation SAP HANA Database 8.8 High CVE-2026-0507 OS Command Injection SAP Application Server ABAP/NetWeaver RFCSDK 8.4 High CVE-2026-0511 Multiple Vulnerabilities SAP Fiori App (Intercompany Balance Reconciliation) 8.1 High CVE-2026-0506 Missing Authorization Check SAP NetWeaver Application Server ABAP 8.1 High CVE-2026-0503 Missing Authorization Check SAP ERP/S/4HANA (EHS Management) 6.4 Medium CVE-2026-0499 Cross-Site Scripting (XSS) SAP NetWeaver Enterprise Portal 6.1 Medium CVE-2026-0514 Cross-Site Scripting (XSS) SAP Business Connector 6.1 Medium CVE-2026-0513 Open Redirect SAP Supplier Relationship Management 4.7 Medium CVE-2026-0494 Information Disclosure SAP Fiori App (Intercompany Balance Reconciliation) 4.3 Medium CVE-2026-0493 Cross-Site Request Forgery (CSRF) SAP Fiori App (Intercompany Balance Reconciliation) 4.3 Medium CVE-2026-0497 Missing Authorization Check Business Server Pages Application 4.3 Medium CVE-2026-0504 Insufficient Input Handling SAP Identity Management 3.8 Low CVE-2026-0510 Obsolete Encryption Algorithm NW AS Java UME User Mapping 3.0 Low Beyond the critical flaws, the patch cycle addresses multiple authorization-bypass vulnerabilities across NetWeaver Application Server (CVE-2026-0506, CVSS 8.1) and EHS Management systems (CVE-2026-0503, CVSS 6.4). These authorization weaknesses could facilitate privilege escalation through authenticated access pathways. Application-level vulnerabilities include cross-site scripting flaws in Enterprise Portal (CVE-2026-0499, CVSS 6.1) and Business Connector (CVE-2026-0514, CVSS 6.1), as well as cross-site request forgery affecting the Fiori Intercompany Balance Reconciliation app (CVE-2026-0493, CVSS 4.3). Lower-severity vulnerabilities encompassing information disclosure, open redirects, and deprecated encryption implementations complete the vulnerability set. SAP strongly recommends prioritizing patches addressing critical-severity vulnerabilities, particularly those affecting S/4HANA and Wily Introscope environments. Organizations should consult SAP’s support portal for patch availability and deployment guidance tailored to their specific installed versions and system configurations. Rapid remediation of these vulnerabilities is essential given their potential impact on core enterprise financial and monitoring systems. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack AI March 28, 2026 Fake Certificate Loader Conceals BlankGrabber Malware Chain Cyber Security News March 28, 2026 Open VSX Vulnerability lets malicious extension go live Cyber Security News March 28, 2026 European Commission Confirms Cyberattack After AWS Account Breach AWS March 28, 2026 BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers Cyber Security News March 27, 2026 Related Stories AI Malicious Browser Extensions Can Steal AI Chats in New “Prompt Poaching” Attack Mayura - March 28, 2026 Cyber Security News Fake Certificate Loader Conceals BlankGrabber Malware Chain Mayura - March 28, 2026 Cyber Security News Open VSX Vulnerability lets malicious extension go live Mayura - March 28, 2026 AWS European Commission Confirms Cyberattack After AWS Account Breach Mayura - March 28, 2026 Cyber Security News BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers AnuPriya - March 27, 2026 Cyber Security News VoidLink Rootkit Exploits eBPF and Kernel Modules For Stealth On Linux Varshini - March 27, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: