SAP Security Notes May 2026: Supply-Chain Attack and Critical Vulnerabilities Explained
The SAP security advisories for May 2026 address several high-impact vulnerabilities, including a targeted software supply-chain attack, a “Hot News” SQL injection in S/4HANA, a missing authentication check in Commerce Cloud, and a high-risk OS command injection. Organizations should treat these notes as urgent and prioritize remediation to mitigate significant risks. Executive Summary SAP’s security […]
Mini Shai-Hulud: Understanding the SAP Supply Chain Malware
Mini Shai-Hulud is a malware campaign that targeted the software supply chain for SAP cloud development by injecting malicious code into specific npm packages. Active for a few hours on April 29, 2026, the attack was designed to steal sensitive credentials, including GitHub tokens, npm tokens, and cloud credentials from developers using these tools. This […]
SAP Security Notes April 2026: Critical SQL Injection and High-Risk Flaws Patched
SAP’s April 2026 security update addresses a critical SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse. This top-priority issue, detailed in Hot News note 3719353, stems from insufficient authorization checks and is fixed by deactivating the vulnerable code. Other high-risk patches were also released. The April 2026 SAP Security Patch […]
SAP Security Notes March 2026: Critical Log4j and RCE Flaws Patched
SAP’s security notes for March 2026 address 14 vulnerabilities, including two critical “Hot News” items. The most severe patches fix a command injection vulnerability related to Apache Log4j and a remote code execution flaw in SAP NetWeaver Enterprise Portal. A high-risk Denial of Service (DoS) note for SAP Supply Chain Management was also released. This […]
SAP Security Notes February 2026: Critical Code Injection and Authentication Flaws
SAP’s February 2026 security update addresses several critical vulnerabilities, including a code injection flaw in SAP S/4HANA and SAP CRM, and a missing authentication check in SAP NetWeaver AS ABAP. These “Hot News” notes require immediate attention to prevent potential system compromise and unauthorized data access. The February 2026 SAP Security Notes patch day released […]
SAP Security Notes January 2026: Critical Vulnerabilities in S/4HANA and More
SAP’s January 2026 security update addresses several critical vulnerabilities, including a SQL injection and a code injection backdoor in S/4HANA that could lead to full system compromise. Immediate patching is required to mitigate risks of data theft, modification, and remote code execution across key SAP products. This advisory summarizes the most severe vulnerabilities released on […]
SAP Security Notes December 2025: Analysis of Critical Patches
SAP’s December 2025 security update includes three “Hot News” notes that patch critical vulnerabilities. These address a code injection flaw in SAP Solution Manager (SolMan), a deserialization vulnerability in SAP jConnect, and multiple issues in Apache Tomcat within SAP Commerce Cloud. Organizations should prioritize applying these patches to mitigate the risk of exploitation. This advisory […]
SAP Security Alert: Critical Patches for November 2025
SAP’s November 2025 security update includes critical patches for code execution, code injection, and insecure deserialization vulnerabilities. Key systems affected are SAP SQL Anywhere, SAP Solution Manager, and SAP NetWeaver AS Java. Administrators should prioritize the application of these patches to mitigate significant security risks. The November 2025 SAP Security Notes address several severe vulnerabilities […]
SAP Security Notes October 2025: Critical Vulnerabilities and Patches
SAP’s October 2025 security update addresses several critical and high-risk vulnerabilities, including two “Hot News” notes for insecure deserialization in SAP NetWeaver AS Java. These patches are crucial for preventing arbitrary OS command execution and protecting system integrity across multiple SAP products. This advisory summarizes the most significant patches released in October 2025. Key fixes […]
SAP Security Notes September 2025: Critical CVSS 10.0 Flaw in NetWeaver AS Java
SAP’s September 2025 security update includes the critical Hot News note 3634501, which addresses a CVSS 10/10 insecure deserialization vulnerability in SAP NetWeaver AS Java. This flaw could allow an attacker to execute arbitrary OS commands, leading to a full compromise of the affected Java systems. The SAP Security Notes for September 2025 are headlined […]