Patch Day SAP CRM, S/4HANA: Attackers can damage databases
On the February Patch Day, SAP is addressing several security issues in its software portfolio.
(Image: nitpicker/Shutterstock.com)
Various SAP business software is vulnerable. Attackers can exploit, among other things, “critical” vulnerabilities in CRM and SAP S/4HANA (Scripting Editor) and NetWeaver Application Server ABAP and ABAP Platform.
Particularly Dangerous Vulnerabilities
Due to a bug, authenticated attackers can execute SQL statements in the context of CRM and SAP S/4HANA (Scripting Editor), thus completely compromising databases (CVE-2026-0488 “critical”).
In NetWeaver Application Server ABAP and ABAP Platform, authorization management is flawed. If attackers have low user privileges, they can execute functions that are actually only available to higher-privileged users. This can limit the availability of the application (CVE-2026-0509 “critical”).
Even More Security Issues
Vulnerabilities with a threat level of “high” affect, among others, supply chain management (DoS CVE-2026-23689) and commerce cloud (DoS CVE-2025-0508). The majority of the remaining vulnerabilities are classified as “medium” and impact, among others, Document Management System and Business One.
Videos by heise
The software manufacturer lists the security vulnerabilities closed on this Patch Day in its portal. Further information on the vulnerabilities and secured versions can only be viewed in the customer portal.
(des)
