Notas de Seguridad SAP, Febrero 2026

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas febrero 2026

Resumen y highlights del Mes

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1. Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) (3697099): An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability. A temporary workaround is available. CVSS v3 Base Score 9,9/10 [CVE-2026-0488]
2. Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (3674774): SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application. CVSS v3 Base Score 9,6/10 [CVE-2026-0509]
3. XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform (3697567): SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage. A temporary workaround is available. CVSS v3 Base Score 8,8/10 [CVE-2026-23687]
4. Denial of service (DOS) in SAP Supply Chain Management (3703092): Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected. CVSS v3 Base Score 7,7/10 [CVE-2026-23689]
5. Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) (3705882): SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. CVSS v3 Base Score 7,7/10 [CVE-2026-24322]
6. Denial of service (DOS) in SAP BusinessObjects BI Platform (3654236): SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity. A temporary workaround is available. CVSS v3 Base Score 7,5/10 [CVE-2026-0490]
7. Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform (3678282): SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service disruption, rendering the CMS completely unavailable. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. A temporary workaround is available. CVSS v3 Base Score 7,5/10 [CVE-2026-0485]
8. Race Condition in SAP Commerce Cloud (3692405): Under certain conditions, SAP Commerce Cloud allows an authenticated user to bypass SSL trust validation for outbound connections due to a race condition in the Eclipse Jersey library (CVE-2025-12383), leading to a High impact on confidentiality and integrity, and no impact on the availability of the application. CVSS v3 Base Score 7,4/10 [CVE-2025-12383]
9. Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform (3674246): The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application. CVSS v3 Base Score 7,3/10 [CVE-2026-0508]

Enlaces de referencia

Referencias, en inglés de SAP y Onapsis (febrero):

• SAP Security Patch Day – February 2026
• SAP Patch Day: February 2026 – Onapsis

Recursos afectados

• SAP CRM and SAP S/4HANA (Scripting Editor): S4FND 102-109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801
• SAP NetWeaver Application Server ABAP and ABAP Platform: KRNL64NUC 7.22, KRNL64UC 7.22, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19; SAP_BASIS 700-702, 731, 740, 750-758, 804, 816, 916-918
• SAP Supply Chain Management: SCMAPO 713, 714, SCM 700, 701, 702, 712
• SAP Solution Tools Plug-In (ST-PI): ST-PI 2008_1_700, 2008_1_710, 740, 758
• SAP BusinessObjects BI Platform: ENTERPRISE 430, 2025, 2027
• SAP Commerce Cloud: HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21