SAP Security Notes, April 2026
Hot news note 3719353 patches a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. The vulnerability arises from insufficient authorization checks for user uploads in a specific ABAP program. The fix included in the note deactivates executable code within the ABAP program, preventing any execution pathway. With the code […]
SAP Security Notes, March 2026
Hot news note 3698553 patches a critical command injection vulnerability in Apache Log4j bundled in SAP Quotation Management Insurance. The package assembly for the FS-QUO-scheduler module of the application should be updated to a secure version. As a workaround, the Java archive file log4j-1.2.17.jar. can be deleted in the {FS-QUO-scheduler}/lib directory. Hot news note 3714585 […]
SAP Security Notes, February 2026
Hot news note 3697099 patches a critical code injection vulnerability in SAP S/4HANA and SAP CRM. The vulnerability can be exploited by attackers to execute arbitrary SQL statements by calling function modules using the Scripting Editor. As a workaround, the Scripting Editor can be disabled by deactivating the service CRM_IC_ISE ICF in the sap/bc/bsp/sap service […]
SAP Security Notes, January 2026
Hot news note 3687749 patches a critical SQL injection vulnerability that can be exploited to read, modify, and delete data used in the Financials component of SAP S/4HANA. The solution in the note prevents the injection of user-controlled input in SQL queries using input validation to remove the vulnerability. A workaround is also detailed in […]
SAP Security Notes, December 2025
Hot news note 3685270 patches a code injection vulnerability in SAP Solution Manager (CVE-2025-42880). The vulnerability impacts all support pack levels for Solution Manager 7.2 (SolMan). The patch introduces input validation to secure the relevant vulnerable remote-enabled function module. Customers should consider migrating application monitoring and lifecycle management functions to SAP Cloud ALM and decommission […]
SAP Security Notes, November 2025
Hot news note 3666261 patches a critical code execution vulnerability in SAP SQL Anywhere. The correction removes the SQL Anywhere Monitor. The note recommends switching to the SQL Anywhere Cockpit for database administration. Hot news note 3668705 addresses a code injection vulnerability in SAP Solution Manager arising from missing input validation for a vulnerable remote-enabled […]
SAP Security Notes, October 2025
Hot news note 3634501 patches a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. The vulnerability can be exploited by attackers to execute arbitrary OS commands. The patch updates the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module. As a workaround, network […]
SAP Security Notes, September 2025
Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the […]
SAP Security Notes, August 2025
Hot news notes 3581961 and 3627998 patch critical code injection vulnerabilities in SAP S/4HANA. Both notes have CVSS scores of 9.9/10. The vulnerabilities impact the function modules /SLOAP/GEN_MODULE_REPORT and /SLOAE/DEPLOY that can be exploited to install backdoors that bypass authorization checks. The function modules are used for reporting and analysis and are included in S4CORE. […]
SAP Security Notes, July 2025
There are multiple hot news notes released in July for insecure deserialization vulnerabilities in SAP NetWeaver AS Java solutions and components. The vulnerabilities arise from the processing of untrusted user-provided serialized data without adequate input validation. This can lead to malicious code execution and authentication bypass. Notes 3610892, 3621236, 3620498 and 3621771 correct deserialization vulnerabilities […]