SAP’s February 2026 security update addresses several critical vulnerabilities, including a code injection flaw in SAP S/4HANA and SAP CRM, and a missing authentication check in SAP NetWeaver AS ABAP. These “Hot News” notes require immediate attention to prevent potential system compromise and unauthorized data access.
The February 2026 SAP Security Notes patch day released a significant number of fixes, with two marked as “Hot News” due to their critical nature. The most severe is a code injection vulnerability detailed in note 3697099, affecting SAP S/4HANA and SAP CRM. This flaw allows attackers to execute arbitrary SQL statements, potentially leading to a full database compromise. The second critical issue, covered in note 3674774, is a missing authentication check for background RFCs in SAP NetWeaver AS ABAP, which could allow unauthorized function execution. Additional high-priority patches address an XML Signature Wrapping vulnerability in NetWeaver, information disclosure, and denial of service vulnerabilities in SAP BusinessObjects.
Key Takeaways
- A critical code injection vulnerability in SAP S/4HANA and CRM was patched.
- A missing authentication check in SAP NetWeaver AS ABAP for background RFCs was fixed.
- Note 3697567 addresses an XML Signature Wrapping vulnerability.
- Patches were also released for information disclosure in the ST-PI Addon.
- Vulnerabilities including open redirect and denial of service were fixed in SAP BusinessObjects.
What Are the Most Critical SAP Vulnerabilities for February 2026?
The most critical vulnerabilities patched in February 2026 are two “Hot News” notes impacting core SAP systems. These require immediate review and patching to mitigate the risk of exploitation.
The first, detailed in note 3697099, is a critical code injection vulnerability in the Scripting Editor component of SAP S/4HANA and SAP CRM. It allows an attacker to execute arbitrary SQL statements by calling function modules, which could lead to a full compromise of the database. As a temporary workaround, SAP suggests deactivating the CRMICISE ICF service.
The second, covered by note 3674774, addresses a critical missing authentication check for background RFCs (tRFC and qRFC) in SAP NetWeaver AS ABAP. This could allow a low-privileged user to execute functions without proper authorization. To fully enable the fix, the profile parameter rfc/authCheckInPlayback must be set to the value 2 in addition to applying the support package.
What Other Notable SAP Patches Were Released?
Beyond the two critical “Hot News” items, SAP released several other important security patches for NetWeaver and BusinessObjects.
Note 3697567 enhances verification for XML signatures to fix an XML Signature Wrapping vulnerability in NetWeaver AS ABAP. This could prevent attackers from manipulating signed documents to gain unauthorized access. A potential workaround involves disabling SAML and using alternative authentication methods.
An information disclosure vulnerability in the ST-PI Addon for NetWeaver AS ABAP is patched by note 3705882. This flaw could be exploited to obtain sensitive system information.
Finally, a series of notes including 3674246, 3678282, and 3654236 address multiple open redirect and denial of service vulnerabilities within SAP BusinessObjects.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability for February 2026?
The most critical vulnerability was a code injection flaw in SAP S/4HANA and SAP CRM, covered by Hot News note 3697099. It allows for arbitrary SQL execution via the Scripting Editor.
How do I fix the missing authentication check in SAP NetWeaver?
To fix the vulnerability from note 3674774, you must apply the recommended support package and set the profile parameter rfc/authCheckInPlayback to the value 2 to enforce stronger authorization checks.
What systems were affected by the February 2026 patches?
Key systems affected include SAP S/4HANA, SAP CRM, SAP NetWeaver AS ABAP, and SAP BusinessObjects.