Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.
Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.
Hot news note 3719353 patches a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. The vulnerability arises from insufficient authorization checks for user uploads in a specific ABAP program. The fix included in the note deactivates executable code within the ABAP program, preventing any execution pathway. With the code
Hot news note 3698553 patches a critical command injection vulnerability in Apache Log4j bundled in SAP Quotation Management Insurance. The package assembly for the FS-QUO-scheduler module of the application should be updated to a secure version. As a workaround, the Java archive file log4j-1.2.17.jar. can be deleted in the {FS-QUO-scheduler}/lib directory. Hot news note 3714585
Hot news note 3697099 patches a critical code injection vulnerability in SAP S/4HANA and SAP CRM. The vulnerability can be exploited by attackers to execute arbitrary SQL statements by calling function modules using the Scripting Editor. As a workaround, the Scripting Editor can be disabled by deactivating the service CRM_IC_ISE ICF in the sap/bc/bsp/sap service
Hot news note 3687749 patches a critical SQL injection vulnerability that can be exploited to read, modify, and delete data used in the Financials component of SAP S/4HANA. The solution in the note prevents the injection of user-controlled input in SQL queries using input validation to remove the vulnerability. A workaround is also detailed in
Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission
Hot news note 3666261 patches a critical code execution vulnerability in SAP SQL Anywhere. The correction removes the SQL Anywhere Monitor. The note recommends switching to the SQL Anywhere Cockpit for database administration. Hot news note 3668705 addresses a code injection vulnerability in SAP Solution Manager arising from missing input validation for a vulnerable remote-enabled
Hot news note 3634501 patches a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. The vulnerability can be exploited by attackers to execute arbitrary OS commands. The patch updates the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module. As a workaround, network
Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the
Hot news notes 3581961 and 3627998 patch critical code injection vulnerabilities in SAP S/4HANA. Both notes have CVSS scores of 9.9/10. The vulnerabilities impact the function modules /SLOAP/GEN_MODULE_REPORT and /SLOAE/DEPLOY that can be exploited to install backdoors that bypass authorization checks. The function modules are used for reporting and analysis and are included in S4CORE.
There are multiple hot news notes released in July for insecure deserialization vulnerabilities in SAP NetWeaver AS Java solutions and components. The vulnerabilities arise from the processing of untrusted user-provided serialized data without adequate input validation. This can lead to malicious code execution and authentication bypass. Notes 3610892, 3621236, 3620498 and 3621771 correct deserialization vulnerabilities
Hot news note 3600840 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability is due to the failure to check the RFC start authorization S_RFC for transactional (tRFC) and queued RFC (qRFC) calls during the playback of recorded RFCs. It
Hot news note 3594142 patches a critical missing authorization check in the development server of Visual Composer within SAP NetWeaver Application Server Java (AS Java). The note addresses CVE-2025-31324, a zero-day vulnerability discovered and reported by ReliaQuest on April 22. The note includes a correction for specific support packages of version 7.50 of AS Java.