Do Son 
SAP has released its security update for February 2026, issuing patches for 26 new vulnerabilities across its enterprise ecosystem. Leading the pack is a critical code injection flaw in SAP CRM and SAP S/4HANA, tracked as CVE-2026-0488, which carries a near-maximum CVSS score of 9.9.
The update addresses a wide range of issues, from high-severity authorization bypasses to denial-of-service (DoS) risks, urging administrators to patch their systems immediately to prevent potential database compromises and service disruptions.
The most severe vulnerability of the month is CVE-2026-0488, a code injection flaw found in the Scripting Editor of SAP CRM and SAP S/4HANA.
The advisory warns of catastrophic consequences: “An authenticated attacker… could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement”.
This means an attacker with basic access could potentially take full control of the database, leading to a “full database compromise with high impact on confidentiality, integrity, and availability”.
Close behind is CVE-2026-0509 (CVSS 9.6), a critical missing authorization check in SAP NetWeaver Application Server ABAP.
This flaw allows a “low-privileged user to perform background Remote Function Calls without the required S_RFC authorization”. While it doesn’t expose data directly (confidentiality impact is none), it allows attackers to disrupt operations or modify data, posing a severe threat to system integrity and availability.
Another high-severity issue, CVE-2026-23687 (CVSS 8.8), targets the trust verification process in SAP NetWeaver. The vulnerability allows an attacker to “obtain a valid signed message and send modified signed XML documents to the verifier”.
By exploiting this “XML Signature Wrapping” flaw, an attacker could trick the system into accepting tampered identity information, potentially gaining unauthorized access to sensitive user data.The February patch cycle also covers a variety of other high and medium-severity issues:
- DoS Attacks: Multiple denial-of-service vulnerabilities were patched in SAP BusinessObjects BI Platform (CVE-2026-0490, CVE-2026-0485) and SAP Supply Chain Management (CVE-2026-23689).
- Race Conditions: A high-severity race condition (CVE-2025-12383) was fixed in SAP Commerce Cloud, which could lead to unpredictable system behavior.
- Open Redirects: A medium-severity open redirect flaw (CVE-2026-0508) was addressed in the Business Intelligence Platform, preventing attackers from redirecting users to malicious sites.
With critical vulnerabilities exposing databases and core application servers, SAP administrators are strongly advised to review Security Note 3697099 and applying the necessary updates without delay.
Related Posts:
- SAP Patch Day August 2025: Critical Code Injection Flaws Threaten Core ERP Systems
- SAP April 2025 Patch Day: Critical Code Injection Risks
- Critical SAP Alert: S/4HANA SQL Injection & Wily RCE Threaten Financial Data
- A total of 10 Security in SAP was patched
- SAP November 2025 Patch Day Fixes 3 Critical Flaws (CVSS 10) β Including Code Injection and Insecure Key Management
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
