SAP’s January 2026 security update addresses several critical vulnerabilities, including a SQL injection and a code injection backdoor in S/4HANA that could lead to full system compromise. Immediate patching is required to mitigate risks of data theft, modification, and remote code execution across key SAP products.
This advisory summarizes the most severe vulnerabilities released on January 14, 2026. The patches include fixes for a critical SQL injection in S/4HANA Financials, a code injection vulnerability in S/4HANA that functions as a backdoor, a remote code execution flaw in Wily Introscope Enterprise Manager, and a privilege escalation issue in SAP HANA. Other high-risk vulnerabilities were also addressed in SAP Landscape Transformation, NetWeaver AS ABAP, and Fiori applications. Organizations are urged to review and apply these security notes to protect their landscapes from potential exploitation.
Key Takeaways
- Critical S/4HANA Flaws: Two “Hot News” notes address a critical SQL injection 3687749 and a code injection backdoor 3694242 in SAP S/4HANA, posing risks of data compromise and full system takeover.
- Remote Code Execution: A vulnerability in SAP Wily Introscope Enterprise Manager 3668679 allows for remote code execution via malicious JNLP files.
- Privilege Escalation: A flaw in SAP HANA 3691059 could allow attackers to gain administrative database access.
- Immediate Patching Required: Due to the severity of these vulnerabilities, applying the corresponding SAP security notes is the most effective way to reduce exposure.
- Workarounds Available: For some S/4HANA flaws, restricting access to specific function groups via authorization object S_RFC can serve as a temporary workaround.
January 2026 Critical SAP Vulnerability Summary
The table below outlines the most critical and high-risk vulnerabilities addressed in the January 2026 security notes.
| SAP Note | Component | Vulnerability Type | Summary of Risk |
| 3687749 | SAP S/4HANA (Financials) | SQL Injection | Allows an attacker to read, modify, and delete financial data. |
| 3694242 | SAP S/4HANA | Code Injection / Backdoor | Allows arbitrary ABAP code and OS command execution, leading to full system compromise. |
| 3697979 | SAP Landscape Transformation | Code Injection | Similar to the S/4HANA backdoor, allows ABAP/OS command injection. |
| 3668679 | SAP Wily Introscope | Remote Code Execution (RCE) | Exploitable via malicious JNLP files to execute commands on user workstations. |
| 3691059 | SAP HANA | Privilege Escalation | An attacker could gain unauthorized administrative access to the database. |
What is the Critical SQL Injection Vulnerability in S/4HANA? (Note 3687749)
Hot News note 3687749 patches a critical SQL injection vulnerability in the Financials component of SAP S/4HANA. The flaw can be exploited to read, modify, and delete sensitive data by injecting user-controlled input into SQL queries. The official fix prevents this by implementing proper input validation. As a temporary workaround, access to the vulnerable function modules in function group FGLBCF should be restricted using the authorization object S_RFC.
What is the Code Injection Backdoor in S/4HANA? (Note 3694242)
Hot News note 3694242 addresses another critical vulnerability in SAP S/4HANA that allows for arbitrary ABAP code and OS command injection. This vulnerability effectively functions as a backdoor, bypassing authorization checks and creating a risk of full system compromise. The correction provided in the note removes the vulnerable code. While no official workaround is detailed, restricting access to the affected function group with authorization object S_RFC can serve as a temporary mitigation.
What Other Critical & High-Risk Vulnerabilities Were Patched?
Several other significant vulnerabilities were addressed in this patch release:
- SAP Landscape Transformation: Note 3697979 fixes a critical ABAP code and OS command injection vulnerability similar to the one found in S/4HANA.
- SAP Wily Introscope: Note 3668679 patches a remote code execution vulnerability. Attackers could exploit this by tricking users into accessing malicious JNLP files, allowing command execution on their workstations. The solution is to upgrade Wily Enterprise Manager to version 10.8 SP01 Patch 2 (10.8.0.220).
- SAP HANA: Note 3691059 fixes a privilege escalation vulnerability that could allow an attacker to gain administrative access to the HANA database.
- SAP NetWeaver AS ABAP: Notes 3675151 and 3688703 resolve high-risk OS command injection and missing authorization check vulnerabilities.
- SAP Fiori: Note 3565506 addresses multiple vulnerabilities in the Fiori Application Intercompany Balance Reconciliation, which impacts S4CORE in S/4HANA.
Frequently Asked Questions (FAQ)
What were the most critical SAP vulnerabilities for January 2026?
The most critical vulnerabilities were two “Hot News” notes for SAP S/4HANA. Note 3687749 addressed a critical SQL injection, and note 3694242 addressed a code injection flaw that acts as a backdoor.
Is there a workaround for the critical S/4HANA vulnerabilities?
Yes, for both the SQL injection 3687749 and the code injection 3694242 vulnerabilities, restricting access to the vulnerable RFC function groups using the authorization object S_RFC can serve as a temporary mitigation until patches can be applied.
What is the fix for the SAP Wily Introscope vulnerability?
To remove the remote code execution vulnerability detailed in note 3668679, SAP Wily Introscope Enterprise Manager must be upgraded to version 10.8 SP01 Patch 2 (10.8.0.220) or a later version.