SAP Security Patch Day –February 2026
On February 10, 2026, SAP released its second Security Patch Day of the year with 26 new Security Notes and 1 update to a previously released note, bringing the total to 27 entries, a significant volume increase from January’s 17.
This release features 2 Critical-severity vulnerabilities (CVSS 9.6–9.9), 7 High-severity issues (CVSS 7.3–8.8), 16 Medium-severity problems (CVSS 4.3–6.5), and 2 Low-severity vulnerabilities (CVSS 3.1–3.4). Unlike January, one update to a prior note was released (Note 3503138, originally from January 2025), signaling that iterative hardening continues alongside fresh discoveries. The dominant pattern this month is Missing Authorization, accounting for over 8 notes, followed by Denial of Service and Information Disclosure across a wide product footprint.
Key Highlights by Severity
Critical Priority (CVSS 9.9)
A SQL injection vulnerability in S/4HANA Financials General Ledger (Note 3687749, version 18) allows authenticated attackers with low privilege to execute crafted SQL queries against backend databases, reading, modifying, and deleting data with full impact on confidentiality, integrity, and availability. The vulnerability depends on incorrect SRFC authorization object configuration, placing responsibility on both SAP and customer access control implementation.
Critical Priority (CVSS 9.9)
A Code Injection vulnerability in SAP CRM and SAP S/4HANA Scripting Editor (Note 3697099) allows an authenticated attacker with low privileges to exploit a generic function module call, execute arbitrary SQL statements, and achieve full database compromise with high impact on confidentiality, integrity, and availability. The fix introduces allowlist checks on function module calls; a temporary workaround via SICF service deactivation is available.
Critical Priority (CVSS 9.6)
A Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform (Note 3674774) allows authenticated low-privileged users to perform background Remote Function Calls (bgRFC) without the required S_RFC authorization, leading to high impact on integrity and availability. Remediation requires a kernel patch across versions 7.22 through 9.19 and the explicit activation of profile parameter rfc/authCheckInPlayback = 2.
High Priority (CVSS 8.8–7.3)
- XML Signature Wrapping in SAP NetWeaver AS ABAP (Note 3697567, CVSS 8.8): authenticated attackers can tamper with signed XML documents, enabling unauthorized access and identity spoofing across SAP_BASIS 700–918.
- Denial of Service in SAP Supply Chain Management (Note 3703092, CVSS 7.7): an authenticated user can invoke an RFC-enabled function module with excessive loop parameters, exhausting system resources.
- Missing Authorization in SAP Solution Tools Plug-In ST-PI (Note 3705882, CVSS 7.7): function module invocation without authorization exposes sensitive system information.
- Two Denial of Service notes in SAP BusinessObjects BI Platform (Notes 3654236 and 3678282, CVSS 7.5 each): one exploitable by unauthenticated attackers to break platform authentication; the other by authenticated users to crash web application services.
- Race Condition in SAP Commerce Cloud (Note 3692405, CVSS 7.4) and Open Redirect in SAP BusinessObjects Business Intelligence Platform (Note 3674246, CVSS 7.3).
Key Affected Components
SAP BusinessObjects BI Platform / Enterprise: Five notes, two DoS, one Open Redirect, one AdminTools DoS, and one XSS in the Central Management Console ,make BusinessObjects the most targeted product of the month, with one unauthenticated attack vector raising particular concern for externally exposed deployments.
SAP NetWeaver (ABAP and Java): Four notes span the core application server, including both Critical vulnerabilities, an XML Signature Wrapping flaw, and a low-severity CRLF Injection in the Java stack, continuing NetWeaver’s role as the broadest and most persistently affected.
SAP Solution Tools Plug-In (ST-PI): Four notes across Missing Authorization and Open Redirect in BSP applications reflect recurring gaps in this widely deployed plug-in, affecting versions from 2008_1_700 through 758.
SAP Commerce Cloud: Three notes, two Race Conditions and one Information Disclosure, signal growing attacker interest in SAP’s newer cloud-native product portfolio, which historically received less scrutiny than on-premise ABAP stacks.
SAP CRM / S/4HANA, Supply Chain Management, Document Management, Business One, Business Workflow, Strategic Enterprise Management, S/4HANA Defense & Security: Each contributes one to two notes, confirming broad ecosystem exposure well beyond the core ERP.
Notable Trends
1 – Missing Authorization as the Dominant Attack Class
With 8+ notes involving missing or insufficient authorization checks, this month confirms a systemic pattern in RFC-enabled function module exposure across ABAP-based products. The pattern spans NetWeaver, S/4HANA, Fiori, Business Workflow, and ST-PI, all requiring only standard user credentials to exploit.
2 – BusinessObjects as a Concentrated Attack Surface
Five notes in a single Patch Day targeting BusinessObjects, including one unauthenticated DoS vector, represent an unusual concentration of research activity on the BI platform. Combined with an XSS in the CMC and an Open Redirect, they constitute a realistic multi-step attack chain for organizations with externally accessible deployments.
3 – RFC and Kernel Layer Under Continued Pressure
Both Critical notes target the RFC execution layer: one at the application level via function module exploitation (CRM/S/4HANA), the other at the kernel level via bgRFC authorization bypass. This continues January’s trend and reinforces the need for systematic RFC authorization auditing and kernel patching cadence.
4 – Commerce Cloud Enters the Spotlight
SAP Commerce Cloud attracts 3 notes this month after minimal prior visibility, with Race Condition vulnerabilities capable of enabling price manipulation, order duplication, or authentication bypass in e-commerce contexts, significant risks even at medium CVSS scores.
5 – Iterative Updates Return
February includes one re-release of a January 2025 note (Note 3503138, CVE-2025-0059), contrasting with January 2026’s entirely fresh batch. Organizations that previously patched should re-validate their remediation against the updated correction instructions.
6 – Higher Volume, Lower Peak Severity
Despite a 59% increase in note count over January, the critical severity count drops from 4 to 2, and the overall distribution shifts toward Medium. This reflects broader but shallower coverage, more components affected at moderate risk rather than a concentrated cluster of high-impact critical flaws.
The botton line
February 2026’s release demands a broad, risk-tiered organizational response across all SAP environments:
- Emergency Patching for both Critical notes: CRM/S/4HANA Code Injection (Note 3697099) and NetWeaver bgRFC Authorization Bypass (Note 3674774), the latter requiring kernel upgrades across all active ABAP versions.
- BusinessObjects Hardening to address five notes simultaneously, with priority on the unauthenticated DoS (Note 3654236) and XML Signature Wrapping (Note 3697567) for externally exposed deployments.
- RFC Authorization Audit across all ABAP landscapes to identify and restrict function modules exposed without proper S_RFC controls, consistent with Note 3674774’s remediation guidance.
- ST-PI Authorization Review covering four notes affecting multiple versions, including Missing Authorization and Open Redirect in BSP applications.
- Commerce Cloud Patching for three notes across Race Condition and Information Disclosure vulnerabilities in HY_COM and COM_CLOUD deployments.
- Prior Patch Re-validation for organizations that previously applied the January 2025 fix for CVE-2025-0059 (Note 3503138) under the updated correction instructions.
February’s breadth across 15+ product lines, combined with the sustained RFC authorization gap pattern and the emergence of Commerce Cloud as a new target, signals that the 2026 threat landscape is widening rather than converging. Organizations cannot afford to apply patches in isolation; the recurring Missing Authorization theme demands a proactive, landscape-wide authorization architecture review rather than note-by-note remediation.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.