SAP Security Notes, January 2026
Hot news note 3687749 patches a critical SQL injection vulnerability that can be exploited to read, modify, and delete data used in the Financials component of SAP S/4HANA. The solution in the note prevents the injection of user-controlled input in SQL queries using input validation to remove the vulnerability. A workaround is also detailed in the note. Access to vulnerable function modules in function group FGL_BCF should be restricted using authorization object S_RFC. According to the note, the function modules are intended to be invoked only internally by the system as part of parallel processing and must not be callable via external RFC interfaces.
Hot news note 3694242 deals with another critical vulnerability in SAP S/4HANA that can be exploited to perform arbitrary ABAP code and OS commands and bypass authorization checks. The vulnerability effectively functions as a backdoor, leading to the risk of full system compromise. The correction in the note removes the vulnerable code. Although a workaround is not included in the note, it is possible to also use authorization object S_RFC to temporarily address the vulnerability by restricting access to the affected function group.
Note 3697979 addresses a similar critical ABAP code/OS command injection vulnerability in SAP Landscape Transformation.
Note 3668679 patches a remote code execution vulnerability in SAP Wily Introscope Enterprise Manager. The vulnerability can be exploited to execute commands in workstations using malicious JNLP (Java Network Launch Protocol) files accessible via URLs. Wiley Enterprise Manager should be upgraded to version 10.8 SP01 Patch 2 ([PRIVATE_IP].220) to remove the vulnerability.
Note 3691059 fixes a privilege escalation vulnerability in SAP HANA that can be exploited by attackers to gain administrative access to the database. The correction in the note prevents unauthorized user switching to remove the root cause of the vulnerability.
Notes 3675151 and 3688703 deal with high-risk OS command and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP.
Note 3565506 addresses multiple vulnerabilities in the SAP Fiori Application Intercompany Balance Reconciliation. The impacted components include S4CORE in SAP S/4HANA.