SAP has released its January 2026 Security Patch Day updates, publishing 17 new security notes on January 13, 2026. The updates address multiple vulnerabilities across SAP products, including critical injection flaws and remote code execution (RCE) issues that could allow attackers to compromise affected systems.
This month’s release does not include updates to previously issued notes, which means organizations must focus entirely on applying the newly released fixes. Notably, four vulnerabilities are classified as HotNews, with CVSS scores reaching 9.9, signaling a high risk to enterprise environments if left unpatched.
Critical Vulnerabilities Overview
The most severe issues in this patch cycle are summarized below:
| SAP Note | CVE ID | Affected Component | CVSS | Impact |
|---|---|---|---|---|
| 3687749 | CVE-2026-0501 | S/4HANA Financials – General Ledger | 9.9 | SQL Injection |
| 3668679 | CVE-2026-0500 | Wily Introscope Enterprise Manager | 9.6 | Remote Code Execution |
| 3694242 | CVE-2026-0498 | S/4HANA (Private Cloud / On-Prem) | 9.1 | Code Injection |
| 3697979 | CVE-2026-0491 | Landscape Transformation | 9.1 | Code Injection |
The most critical vulnerability affects SAP S/4HANA Financials – General Ledger (CVE-2026-0501). This flaw allows authenticated users with low privileges to inject arbitrary SQL queries, potentially compromising the confidentiality, integrity, and availability of sensitive financial data.
Another major concern is a remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (CVE-2026-0500). In this case, an attacker could execute code remotely with limited user interaction, potentially gaining control over monitoring systems used across enterprise environments.
SAP also fixed code injection vulnerabilities in SAP S/4HANA and Landscape Transformation, which could allow high-privilege users to execute malicious code remotely and impact system stability or data integrity.
High and Medium Severity Issues
Beyond this, SAP addressed several high-risk vulnerabilities, including:
- Privilege escalation in SAP HANA, allowing low-privilege users to gain elevated database access
- Operating system command injection in ABAP-related components
- Missing authorization checks in NetWeaver ABAP and certain Fiori applications
Medium-severity fixes cover issues such as cross-site scripting (XSS), cross-site request forgery (CSRF), open redirects, and information disclosure across NetWeaver Portal, Business Connector, Fiori, and SRM components. While these issues are less severe, they may still be exploited in chained attacks.
Recommended Actions for SAP Customers
SAP strongly advises customers to prioritize remediation efforts, particularly for systems running S/4HANA, HANA, and monitoring tools.
Organizations should:
- Apply HotNews patches immediately, ideally within 24 hours
- Test updates in staging or QA environments before production rollout
- Limit network exposure and access to critical SAP components if patching is delayed
- Review SAP security notes through the SAP Support Portal for detailed guidance
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment