FEDER
C/María Berdiales, 20, 4ª Vigo (Spain)
+34 886 113 106
info@inprosec.com
esEspañol
enEnglish

Notas de Seguridad SAP, Enero 2026

Notas SAP, SAP Security
No hay comentarios

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Contenidos ocultar
1 Notas enero 2026
1.1 Resumen y highlights del Mes
2 Detalle completo
3 Recursos afectados

 

Notas enero 2026

Resumen y highlights del Mes

Este mes el número total ha sido de 17 notas, 3 más que en diciembre de 2025. Este mes se han publicado 4 Hot News, una más que en el periodo anterior. En cuanto a notas de criticidad alta, hay 4, una menos con respecto a diciembre. Las notas medias y bajas no serán revisadas, por lo que daremos detalle de un total de 8 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 17 notas para todo el mes (Las 17 son nuevas y no hay actualizaciones de notas publicadas en meses anteriores).

Revisaremos en detalle un total de 8 notas, todas de criticidad alta y Hot News:

  1. La nota más alta en criticidad del mes (CVSS 9,9) es una Hot New, está relacionada con “SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise”.
  2. La siguiente en criticidad (CVSS 9,6) es otra Hot News, la segunda del mes, y está relacionada con “Remote code execution in SAP Wily Introscope Enterprise Manager”.
  3. Las siguientes en criticidad (CVSS 9,1) son dos hot news , una relacionada con “Code Injection vulnerability in SAP S/4HANA ” y la otra con Code Injection vulnerability in SAP Landscape Transformation”.
  4. La siguiente se trata de una nota alta (CVSS 8,8) y se trata de una nota relacionada con Privilege escalation vulnerability in SAP HANA database”.
  5. La siguiente en criticidad (CVSS 8,4) es la segunda de criticidad alta, y se trata de una nota relacionada con OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK”.
  6. Las siguientes en criticidad (CVSS 8,1) son 2 notas de criticidad alta, y tienen que ver con Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)y con Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform
  7. Este mes el tipo más predominante ha sido “Code Injection” (3/17 en el patch day)

En la gráfica podemos ver la clasificación de las notas de enero, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

  1. SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) (3687749): Due to insufficient input validation an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. A temporary workaround is available. CVSS v3 Base Score 9,9/ 10 [CVE-2026-0501]
  2. Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation) (3668679): Due to a critical remote code execution vulnerability, an unauthenticated attacker could craft a malicious JNLP (Java Network Launch Protocol) file and host it via a public URL. Once a victim accesses this URL, the Wily Introscope Server can be leveraged to execute arbitrary commands on the victim’s application environment. This exploit poses a severe risk as it could lead to a total compromise of the application’s confidentiality, integrity, and availability. CVSS v3 Base Score 9,6/ 10 [CVE-2026-0500]
  3. Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) (3694242): SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. CVSS v3 Base Score 9,1/ 10 [CVE-2026-0498]
  4. Code Injection vulnerability in SAP Landscape Transformation  (3697979): A security flaw in SAP Landscape Transformation allows an attacker with administrative privileges to exploit a vulnerability within a function module exposed via RFC. By leveraging this weakness, an unauthorized user can inject arbitrary ABAP code or OS commands into the system while bypassing critical authorization checks. This vulnerability essentially operates as a backdoor, posing a severe risk of a full system compromise the confidentiality, integrity, and availability of the entire environment. CVSS v3 Base Score 9,1/ 10 [CVE-2026-0491]
  5. Privilege escalation vulnerability in SAP HANA database (3691059): SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system’s confidentiality, integrity, and availability. CVSS v3 Base Score 8,8/ 10 [CVE-2026-0492]
  6. OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK (3675151): Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system’s confidentiality, integrity, and availability. CVSS v3 Base Score 8,4/ 10 [CVE-2026-0507]
  7. Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) (3565506): SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application, availability is not impacted.. CVSS v3 Base Score 8,1/ 10 [CVE-2026-0511]
  8. Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (3688703): SAP Web Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. CVSS v3 Base Score 8,1/ 10 [CVE-2026-0506]

 

Enlaces de referencia

Referencias, en inglés de SAP y Onapsis (enero):

SAP Security Patch Day – January 2026

SAP Patch Day: January 2025 – Onapsis

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:
  • SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) Version(s) –  S4CORE 102, 103, 104, 105, 106, 107, 108, 109
  • SAP Wily Introscope Enterprise Manager (WorkStation) – WILY_INTRO_ENTERPRISE 10.8
  • SAP S/4HANA (Private Cloud and On-Premise) – S4CORE 102, 103, 104, 105, 106, 107, 108, 109
  • SAP Landscape Transformation – DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020
  • SAP HANA database – SAP HANA database HDB 2.00
  • SAP Application Server for ABAP and SAP NetWeaver RFCSDK – KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16
  • SAP Fiori App (Intercompany Balance Reconciliation) – UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108
  • SAP NetWeaver Application Server ABAP and ABAP Platform – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
  • SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) – SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606, 617
  • SAP NetWeaver Enterprise Portal – EP-RUNTIME 7.50
  • SAP Business Connector – SAP BC 4.8
  • SAP Supplier Relationship Management (SICF Handler in SRM Catalog) – SRM_SERVER 700, 701, 702, 713, 714
  • SAP Identity Management – DM_CLM_REST_API 8.0, IDMIC 8.0

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar

Categorías

Calendario de entradas

Nuestros servicios

keyboard_arrow_up