Ddos 
SAP administrators are facing a busy start to the year. On January 13, 2026, the enterprise software giant released 17 new security notes, addressing a raft of vulnerabilities that could expose critical financial data and allow for full system compromise. The update contains zero updates to previously released notes, focusing entirely on fresh threats.
Leading the pack is a near-maximum severity SQL Injection vulnerability in SAP S/4HANA, followed closely by a dangerous Remote Code Execution (RCE) flaw in the Wily Introscope Enterprise Manager.
The most severe issue in this month’s batch is CVE-2026-0501, carrying a critical CVSS score of 9.9. This SQL Injection vulnerability strikes at the heart of enterprise resource planning: the Financials – General Ledger component of SAP S/4HANA Private Cloud and On-Premise.
Due to insufficient input validation, an authenticated user—potentially an insider or an attacker with compromised credentials—could “execute crafted SQL queries to read, modify, and delete backend database data”. The impact on the confidentiality, integrity, and availability of financial records is considered high.
While the SQL injection requires authentication, CVE-2026-0500 (CVSS 9.6) does not. This critical Remote Code Execution vulnerability affects SAP Wily Introscope Enterprise Manager (WorkStation).
The flaw stems from a vulnerable third-party component. An unauthenticated attacker can exploit this by creating a malicious JNLP (Java Network Launch Protocol) file hosted on a public URL. “When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim’s machine,” potentially leading to a complete compromise of the system.
SAP also patched two critical “Code Injection” vulnerabilities that effectively function as backdoors. Both rated CVSS 9.1, these flaws allow attackers with admin privileges to inject arbitrary ABAP code or OS commands via Remote Function Call (RFC) modules, bypassing essential authorization checks.
- CVE-2026-0498: Affects SAP S/4HANA (Private Cloud and On-Premise).
- CVE-2026-0491: Affects SAP Landscape Transformation.
The advisory warns that these vulnerabilities create “the risk of full system compromise”.
Beyond the critical alerts, the patch day includes several high-priority fixes:
- CVE-2026-0492 (CVSS 8.8): A Privilege Escalation vulnerability in the SAP HANA database.
- CVE-2026-0507 (CVSS 8.4): An OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK.
- CVE-2026-0511 (CVSS 8.1): Multiple vulnerabilities in the SAP Fiori App (Intercompany Balance Reconciliation).
Organizations are strongly urged to apply these security notes immediately to protect their landscapes from these potent threats.
Related Posts:
- SAP Patch Day August 2025: Critical Code Injection Flaws Threaten Core ERP Systems
- SAP April 2025 Patch Day: Critical Code Injection Risks
- A total of 10 Security in SAP was patched
- SAP November 2025 Patch Day Fixes 3 Critical Flaws (CVSS 10) — Including Code Injection and Insecure Key Management
- SAP Patches Critical 10.0 Flaw in NetWeaver: Unauthenticated RCE Risk
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
