SAP Security Notes, May 2026
SAP Security Note 3747787 addresses the Mini Shai-Hulud malware campaign targeting SAP-related npm packages used in SAP cloud development. The incident involved malicious versions of packages associated with SAP CAP and MTA development tooling, including mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. The compromised packages used a malicious preinstall script that executed during npm installation, downloaded the […]
Mini Shai-Hulud: Malware Targeting the Software Supply Chain for SAP Development Tools
On April 30, SAP released SAP Security Note 3747787 in response to the discovery of malicious code in npm packages connected to SAP development tools. The code is part of a malware campaign labelled Mini Shai-Hulud targeting the software supply chain for SAP cloud development. Shai-Hulud is a reference to the sandworms from the fictional […]
SAP Security Notes April 2026: Critical SQL Injection and High-Risk Flaws Patched
SAP’s April 2026 security update addresses a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. This top-priority issue, detailed in Hot News note 3719353, stems from insufficient authorization checks and is fixed by deactivating the vulnerable code. Other high-risk patches were also released. The April 2026 SAP Security Patch […]
SAP Security Notes March 2026: Critical Log4j and RCE Flaws Patched
SAP’s security notes for March 2026 address 14 vulnerabilities, including two critical “Hot News” items. The most severe patches fix a command injection vulnerability related to Apache Log4j and a remote code execution flaw in SAP NetWeaver Enterprise Portal. A high-risk Denial of Service (DoS) note for SAP Supply Chain Management was also released. This […]
SAP Security Notes February 2026: Critical Code Injection and Authentication Flaws
SAP’s February 2026 security update addresses several critical vulnerabilities, including a code injection flaw in SAP S/4HANA and SAP CRM, and a missing authentication check in SAP NetWeaver AS ABAP. These “Hot News” notes require immediate attention to prevent potential system compromise and unauthorized data access. The February 2026 SAP Security Notes patch day released […]
SAP Security Notes January 2026: Critical Vulnerabilities in S/4HANA and More
SAP’s January 2026 security update addresses several critical vulnerabilities, including a SQL injection and a code injection backdoor in S/4HANA that could lead to full system compromise. Immediate patching is required to mitigate risks of data theft, modification, and remote code execution across key SAP products. This advisory summarizes the most severe vulnerabilities released on […]
SAP Security Notes December 2025: Analysis of Critical Patches
SAP’s December 2025 security update includes three “Hot News” notes that patch critical vulnerabilities. These address a code injection flaw in SAP Solution Manager (SolMan), a deserialization vulnerability in SAP jConnect, and multiple issues in Apache Tomcat within SAP Commerce Cloud. Organizations should prioritize applying these patches to mitigate the risk of exploitation. This advisory […]
SAP Security Alert: Critical Patches for November 2025
SAP’s November 2025 security update includes critical patches for code execution, code injection, and insecure deserialization vulnerabilities. Key systems affected are SAP SQL Anywhere, SAP Solution Manager, and SAP NetWeaver AS Java. Administrators should prioritize the application of these patches to mitigate significant security risks. The November 2025 SAP Security Notes address several severe vulnerabilities […]
SAP Security Notes October 2025: Critical Vulnerabilities and Patches
SAP’s October 2025 security update addresses several critical and high-risk vulnerabilities, including two “Hot News” notes for insecure deserialization in SAP NetWeaver AS Java. These patches are crucial for preventing arbitrary OS command execution and protecting system integrity across multiple SAP products. This advisory summarizes the most significant patches released in October 2025. Key fixes […]
SAP Security Notes September 2025: Critical CVSS 10.0 Flaw in NetWeaver AS Java
SAP’s September 2025 security update includes the critical Hot News note 3634501, which addresses a CVSS 10/10 insecure deserialization vulnerability in SAP NetWeaver AS Java. This flaw could allow an attacker to execute arbitrary OS commands, leading to a full compromise of the affected Java systems. The SAP Security Notes for September 2025 are headlined […]