SAP Security Patch Tuesday January 2026 | Critical Vulnerabilities Demand Immediate Attention

Executive Summary

SAP released 17 Security Notes on the January 2026 Patch Day (13 January 2026). Four are Critical (CVSS 9.1-9.9) and four are High (CVSS 8.1-8.8).

What makes this month stand out is where the highest-risk issues sit: core enterprise trust paths. We have a critical SQL injection in S/4HANA Finance (General Ledger), two RFC-exposed “backdoor-style” code-injection flaws (S/4HANA analytics/data transformation and Landscape Transformation), and a privilege escalation in SAP HANA that can turn a low-privileged DB login into an administrative context. These are the types of vulnerabilities that map directly to how real intrusions unfold in SAP landscapes: stolen credentials → lateral movement via RFC/DB → full compromise.

Key Takeaways

• Prioritize the Critical notes first, especially the S/4HANA Finance SQL injection (3687749) and the two RFC-based code injection fixes (3694242, 3697979).
• Assume internal trust boundaries will be abused. Several of this month’s top vulnerabilities depend on RFC reachability and authorization design (S_RFC, RFC-enabled modules) rather than internet exposure.
• HANA customers should treat 3691059 as an urgent issue. If an attacker gets any valid HANA credentials, this vulnerability can enable impersonation and privilege escalation.
• Basis and monitoring tooling are in scope. The Introscope Enterprise Manager issue (3668679) targets a component that often sits in privileged admin networks, and the exploit path is realistic in targeted phishing.
• Organizations at the greatest risk: large enterprises with complex integrations (broad RFC technical users), landscapes running DMIS/SLT, SolMan/Introscope monitoring, and environments where Portal/Fiori/BC endpoints are reachable from remote networks.

Critical & High-Priority Security Notes

SAP Note 3687749 (CVE-2026-0501) – SQL Injection in SAP S/4HANA Finance (General Ledger)

Severity	CVSS	Component	Stack	Reachability
Critical	9.9	FI-GL-GL-G (Financial Accounting > General Ledger > Closing / Period-End)	ABAP, exposed through an RFC-invocable function path	Typically internally reachable (RFC). Not inherently internet-facing, but reachable wherever RFC connectivity exists (app servers, integration platforms, trusted RFC destinations).

How Widely This Is Used

General Ledger functions are foundational in nearly every S/4HANA landscape across all industries, with especially high operational reliance during month-end/quarter-end close. Even when not exposed externally, RFC access is common due to integrations and technical users.

Nature of Vulnerability

A vulnerable function path allows user-controlled input to influence SQL execution. Under the wrong conditions, that becomes classical SQL injection: attacker-supplied values end up shaping a backend query rather than being treated as data.

SAP explicitly notes a critical prerequisite: the scenario becomes exploitable when S_RFC authorizations are configured too broadly, effectively allowing external RFC calls to the affected function group.

Attack Scenarios

• In a possible attack scenario, a threat actor compromises a technical RFC user (integration account, background user, service user) and uses RFC tooling to call the vulnerable function path with crafted parameters. If S_RFC permits access to the vulnerable function group, the attacker can read, change, or delete backend database data used by finance processes, without requiring OS-level access.
• The most realistic exploitation path is post-compromise, combining stolen credentials and overly permissive RFC rights.

Business Impact

This is not “just” data exposure. In a finance context, SQL injection can result in manipulated financial postings or balances, impacting financial reporting integrity and disrupting close activities (data corruption, missing records, reconciliation failures). Consequences might also include audit and compliance exposure, mainly where financial controls depend on SAP data integrity.

Mitigation and Recommendations

• Patch: Implement SAP Note 3687749 via the referenced support package/correction instructions.
• If patching is delayed (immediate control):
  • Tighten S_RFC to ensure no external RFC access to function modules in function group FGL_BCF (SAP’s stated workaround).
  • Review RFC destinations (SM59) and technical users for wildcards (RFC_NAME = *) or broad function group access.
• Monitoring guidance:
  • Increase visibility into RFC calls touching finance-related function groups; correlate unusual RFC usage with privileged technical users.

SAP Note 3668679 (CVE-2026-0500) – Remote Code Execution in SAP Wily Introscope Enterprise Manager (Workstation Launch)

Severity	CVSS	Component	Stack	Reachability
Critical	9.6	SV-SMG-DIA-WLY (SolMan / Introscope Integration)	Java-based tooling around Introscope Enterprise Manager / Workstation	Typically admin-network reachable; often not internet-facing, but accessible to Basis/monitoring teams and sometimes reachable across monitoring segments.

How Widely This Is Used

Introscope is a familiar fixture in many Solution Manager–based monitoring setups, and it often remains installed long after initial deployment. Even as customers modernize monitoring, legacy Introscope servers and launch workflows still exist in real-world landscapes.

Nature of Vulnerability

The issue sits in the JNLP generation/launch flow. An unauthenticated attacker can manipulate how a JNLP file is generated and served, so that when it’s launched, it can lead to execution of attacker-controlled commands/code in the client execution context.

This is not a “scan-and-own” service exploit. It’s a weaponized admin-tool workflow: the attacker targets the people operating the tooling.

Attack Scenarios

An attacker might identify a reachable Enterprise Manager endpoint and craft a malicious URL that triggers creation of a weaponized JNLP. After that, the attacker can deliver the URL via phishing / internal messaging to a monitoring or Basis user. When the user clicks the link and launches the JNLP, the attacker can achieve code execution aligned with the user’s environment, often a high-value path for credential theft and lateral movement.

Business Impact

Compromise of monitoring tooling is frequently a shortcut to broader SAP compromise as monitoring teams often have privileged access, credentials, and network access to production systems. A compromised workstation or admin session can serve as a pivot point for landscape-wide movement, including access to SolMan-managed systems.

Mitigation and Recommendations

• Patch: Install the fixed Introscope Enterprise Manager level (SAP references Enterprise Manager 10.8 SP01 Patch 2 / 10.8.0.220).
• Operational mitigation (if patching is delayed):
  • Stop using browser-based JNLP launch where possible; use the standalone workstation package instead.
  • Restrict network access to Enterprise Manager endpoints to only the admin subnets that require it.
• Monitoring guidance:
  • Watch for abnormal requests to the JNLP launch endpoints and unusual admin workstation activity following link-click events.

SAP Note 3694242 (CVE-2026-0498) – RFC-Exposed Code Injection “Backdoor” in SAP S/4HANA (Data Transformation for Analytics)

Severity	CVSS	Component	Stack	Reachability
Critical	9.1	CA-DT-ANA (Data Transformation for Analytical solutions)	ABAP, with a vulnerable RFC-exposed function module path	Typically internal RFC reachable, especially in connected landscapes and trusted RFC scenarios.

How Widely This Is Used

While not every system actively uses analytical data transformation daily, CA-DT-ANA components appear in S/4HANA Private Cloud and On-Premise environments that run analytics-adjacent processes. In large enterprises, analytics/data movement components are common and often integrated.

Nature of Vulnerability

This is a high-risk anti-pattern: an RFC-accessible function path that allows injection of arbitrary ABAP and/or OS commands, bypassing expected authorization controls. SAP’s own description makes the operational reality clear: it behaves like a built-in backdoor once a sufficiently privileged caller can reach it.

Attack Scenarios

A threat actor already holding high privileges (a compromised admin account, an abused RFC tech user, or an over-privileged integration user) calls the RFC path and injects ABAP/OS command execution. From there, they can establish persistence (new users, scheduled jobs, RFC destinations), manipulate configurations, or stage data extraction. The most realistic scenario is post-compromise acceleration: this turns “admin in SAP” into “system-level control” faster and more reliably.

Business Impact

A full compromise of an S/4HANA system is a business-level incident that includes operational disruption, integrity loss across business processes, and potential regulatory exposure, depending on the impacted datasets. Even if the attacker already has elevated privileges, a direct ABAP/OS injection path reduces the barriers to persistence and deeper compromise.

Mitigation and Recommendations

• Patch: Implement SAP Note 3694242 via the referenced support packages/correction instructions.
• If patching is delayed:
  • SAP provides no formal workaround. treat this as a patch-driven fix.
  • Reduce blast radius by reviewing RFC trust relationships, limiting who can invoke sensitive RFC-enabled modules, and tightening privileged role assignment.
• Monitoring guidance:
  • Review logs for anomalous RFC activity by privileged users, especially execution patterns inconsistent with normal analytics operations.

SAP Note 3697979 (CVE-2026-0491) – RFC-Exposed Code Injection “Backdoor” in SAP Landscape Transformation (LT Analysis)

Severity	CVSS	Component	Stack	Reachability
Critical	9.1	CA-LT-ANA (Landscape Transformation Analysis), delivered under DMIS	ABAP, vulnerable RFC-exposed execution path	Internal RFC reachability, often in landscapes where SLT/DMIS components communicate broadly.

How Widely This Is Used

Not every customer runs DMIS, but in enterprises doing SLT replication, data migrations, carve-outs, or landscape consolidation, DMIS is common. When present, it often has high-trust connectivity by design.

Nature of Vulnerability

This mirrors the S/4HANA code injection pattern: an RFC path that can be abused (with high privileges) to inject ABAP and/or OS commands, bypassing expected authorization barriers. In practical terms, this is a high-impact backdoor capability inside a highly trusted component.

Attack Scenarios

An attacker with admin-level SAP access exploits the RFC-exposed function path to run injected code/commands. In DMIS-heavy landscapes, the attacker can pivot quickly because transformation/replication components often have broad RFC connections to source and target systems.

Business Impact

Compromise here can become landscape-wide, because transformation components typically sit at the intersection of multiple SAP systems. This creates risk of widespread data manipulation, replication sabotage, and lateral movement.

Mitigation and Recommendations

• Patch: Implement SAP Note 3697979 via the referenced support packages/correction instructions.
• If patching is delayed:
  • No workaround is provided. Reduce exposure by tightening RFC access and reviewing high-privilege users tied to DMIS operations.
• Monitoring guidance:
  • Monitor privileged RFC calls in DMIS/LT contexts; investigate unusual execution bursts or off-hours activity tied to transformation users.

SAP Note 3691059 (CVE-2026-0492) – Privilege Escalation via User Impersonation in SAP HANA

Severity	CVSS	Component	Stack	Reachability
High	8.8	HAN-DB-SEC (HANA Security & User Management)	HANA database	Network-reachable wherever HANA SQL ports are reachable (typically internal, but often reachable from app tiers and admin networks).

How Widely This Is Used

If you run S/4HANA or any HANA-backed platform, you have HANA at the center of your most critical data flows. This is broadly applicable to large enterprises and mid-market deployments alike.

Nature of Vulnerability

The flaw allows a user with valid credentials (any user) to switch/impersonate another user, potentially escalating into an administrative context. In effect, the database’s user-separation boundary can be breached.

Attack Scenarios

An attacker steals credentials for a low-privileged HANA user (an application technical user, a support account, or a mismanaged DB credential). After that, they leverage the vulnerability to switch to a more privileged user, up to administrative access. From there, they can perform data extraction, create new users, disable auditing, tamper with schema/data, and disrupt dependent SAP applications.

Business Impact

• This is a direct path to database-level compromise, which typically means:
  • Sensitive data exposure (PII, financials, operational data)
  • Integrity loss (silent tampering is often the worst-case)
  • Availability impact (shutdown, destructive changes)

Mitigation and Recommendations

• Patch: Update SAP HANA 2.0 to:
  • SPS07: revision 79.07
  • SPS08: revision 88
  • (SAP notes that SPS05 and SPS06 are not affected, but validate your exact revision level.)
• If patching is delayed:
  • Restrict network reachability to HANA ports to only required application hosts and admin jump points.
  • Ensure HANA auditing is enabled and monitored, with alerting for suspicious user-context changes and privilege anomalies.

SAP Note 3675151 (CVE-2026-0507) – OS Command Injection in SAP NetWeaver RFC SDK / rfcExec Started Server

Severity	CVSS	Component	Stack	Reachability
High	8.4	BC-MID-RFC-SDK (NetWeaver RFC SDK)	RFC SDK / external RFC server tooling (not pure ABAP)	Adjacent-network attack vector; exposure depends on how rfcExec is deployed and reachable in your environment.

How Widely This Is Used

Many enterprises run custom integrations using the RFC SDK. Still, rfcExec as a standalone server is more commonly used in legacy or specialized scenarios (e.g., older interfaces, external command execution flows, niche tooling). The risk is highest where it’s present because the impact is OS-level.

Nature of Vulnerability

The core issue is a validation logic failure around COMMAND handling when using rfcExec.sec: the comparison behavior is incorrect, potentially allowing execution paths that should be blocked. In practice, that can turn a “restricted command execution interface” into an OS command-injection surface.

Attack Scenarios

• This vulnerability can be used in insider-threat or post-compromise scenarios where the attacker already has a foothold in the same network segment as the RFC server tooling.
• An attacker with administrative access and adjacent network access pushes crafted content that, when processed, results in arbitrary OS command execution.

Business Impact

OS-level command execution on SAP-connected hosts enables:

• Direct compromise of application servers or integration hosts
• Credential theft, persistence, and rapid lateral movement
• Outage or sabotage through system-level changes

Mitigation and Recommendations

• Patch: Apply the SAP-provided fixes via the referenced support packages/patches.
  • SAP also points custom RFC SDK 7.50 implementations to RFC SDK patch level 18 or later (per SAP Note 2573790).
• If patching is delayed (defensive controls):
  • If rfcExec is not required, disable or remove the started server configuration.
  • Restrict network access to the started server endpoints; enforce gateway ACLs (secinfo/reginfo) aggressively.
• Monitoring guidance:
  • Watch for unusual started-server invocations and suspicious command-like payload patterns in RFC-related logs.

SAP Note 3565506 (CVE-2026-0511, CVE-2026-0496, CVE-2026-0495) – Multiple Vulnerabilities in Fiori App “Intercompany Balance Reconciliation”

Severity	CVSS	Component	Stack	Reachability
High	8.1	FI-LOC-FI-RU (Financials localization; app context includes Intercompany Balance Reconciliation / F1819)	Fiori application (front-end + OData/backend processing)	Typically internal via Fiori Launchpad, but frequently made available to remote users through reverse proxies/Web Dispatcher, so “internal” can become “broadly reachable” quickly.

How Widely This Is Used

Intercompany reconciliation is common in large enterprises. The specific application footprint depends on localization and rollout, but when deployed, it is used by finance teams and often has access to sensitive reconciliation data and workflows.

Nature of Vulnerability

This note addresses three distinct problems:

• A missing authorization check allowing a logged-in user to perform actions beyond their intended scope (privilege escalation).
• An unrestricted file upload path (high-privileged abuse potential) that does not sufficiently constrain file types.
• A configuration/design issue that allowed sending files to arbitrary email destinations, increasing leakage risk.

Attack Scenarios

In a possible attack scenario, a low-privileged finance user (or a compromised account) abuses missing authorization checks to access or manipulate reconciliation functions beyond their role. After that, a privileged user abuses file upload to introduce malicious or unexpected content into business workflows (not necessarily leading to server compromise, but often used for downstream abuse). Data exfiltration through “send to email” behavior is realistic in insider and compromised-user scenarios.

Business Impact

• Unauthorized reconciliation actions can cause financial reporting integrity issues and downstream process disruption.
• File-handling weaknesses create data leakage and workflow manipulation risk, which often becomes a compliance issue even when “technical severity” looks moderate.

Mitigation and Recommendations

• Patch: Implement SAP Note 3565506.
• If patching is delayed:
  • Restrict access to the app and affected functions to trusted, tightly controlled roles (SAP’s recommended interim approach).
  • Review who has access to upload and file-sharing capabilities inside the app.
• Monitoring guidance:
  • Track unusual OData invocation patterns and unexpected file upload activity tied to reconciliation roles.

SAP Note 3688703 (CVE-2026-0506) – Missing Authorization Check Allows RFC Execution of ABAP FORM Routines

Severity	CVSS	Component	Stack	Reachability
High	8.1	BC-DWB-DIC-F4 (ABAP Dictionary / F4 Help)	Application Server ABAP / ABAP Platform	Network-reachable via RFC for authenticated users; the affected area is present broadly across ABAP systems.

How Widely This Is Used

This is in the ABAP Platform layer (the SAP_BASIS range is broad), so it can affect a large portion of enterprise ABAP estates, even if the vulnerable RFC path is not something customers knowingly use.

Nature of Vulnerability

An RFC-exposed capability can be abused to execute ABAP FORM routines without appropriate authorization enforcement. FORM routines are not meant to be invoked remotely as generic “call anything” building blocks; if a remote caller can trigger them, they can drive unintended application behavior, especially when forms update data or trigger system actions.

Attack Scenarios

In a potential attack scenario, an attacker with a standard SAP user account uses RFC tooling to invoke the vulnerable function and attempts to execute FORMs that perform updates or trigger sensitive actions. This can be used to modify data or cause operational disruption by invoking routines out of context.

Business Impact

SAP rates confidentiality impact as none, but integrity and availability as high, which aligns with real-world outcomes:

• Unauthorized changes to business data or configuration
• Disruption through dumps, locked objects, or forced execution paths that break process flows

Mitigation and Recommendations

• Patch: Implement SAP Note 3688703. SAP indicates the vulnerable function is disabled/removed as part of the fix.
• If patching is delayed:
  • SAP provides no workaround; focus on exposure reduction:
    • Tighten RFC authorizations (S_RFC) and restrict RFC access from untrusted networks.
    • Review gateway ACLs and trusted RFC destinations.
• Monitoring guidance:
  • Investigate anomalous RFC call patterns from dialog users who do not typically perform technical operations.

Medium and Lower Priority Notes

While the remaining notes are mostly Medium/Low by CVSS, several become operationally important when the affected component is internet-facing or widely used.

Web-facing issues: Portal, Business Connector, SRM Catalog

SAP Note / CVE ID	Description
3687372 (CVE-2026-0499)	Reflected XSS in NetWeaver Enterprise Portal navigation (unauthenticated, user interaction required).
3666061 (CVE-2026-0514)	XSS in SAP Business Connector (unauthenticated link-based exploitation; patching includes CoreFix requirements).
3638716 (CVE-2026-0513)	Open redirect in SRM Catalog SICF handler, often used for social engineering and credential theft chains. This note includes post-implementation report execution steps; don’t treat it as “apply note and forget.”

Operational note: If Portal/BC/SRM endpoints are reachable outside trusted networks, treat them as higher priority than their CVSS scores might suggest (session theft and user redirection are often the first steps in larger incidents).

Business application authorization and credential handling gaps

SAP Note / CVE ID	Description
3681523 (CVE-2026-0503)	SAP EHS Management (ECC/S/4HANA) issue involving missing authorization checks and hardcoded credential handling; can enable unauthorized access to specific EHS change pointer data.
3677111 (CVE-2026-0497)	Product Designer Web UI information exposure; the correction deactivates the UI.validate business impact before rollout.
3655229 (CVE-2026-0493)	CSRF/state-changing behavior (OData method semantics hardening).
3655227 (CVE-2026-0494)	Information disclosure under certain conditions.

Identity/Java hardening and lower-severity fixes

SAP Note / CVE ID	Description
3657998 (CVE-2026-0504)	SAP Identity Management REST interface JNDI input handling issue (admin-only exploitation, low impact).
3593356 (CVE-2026-0510)	NW AS Java UME user mapping uses an obsolete crypto algorithm; SAP notes it is only relevant if UME User Mapping is configured. After patching, a conversion step in User Admin is required to re-encrypt mapping data with the new algorithm.

Defender’s Perspective: What This Patch Day Tells Us

January’s notes reinforce a long-standing reality in SAP security: the most dangerous vulnerabilities rarely reside on glossy, internet-facing “front doors.” They live inside trusted integration surfaces: RFC, database authentication boundaries, and admin tooling.

Three patterns are hard to ignore this month:

1. RFC remains a primary risk multiplier. Critical and high issues tied to RFC exposure (SQL injection, code injection/backdoor behavior, FORM execution misuse) underscore how quickly an attacker can move once they have any authenticated foothold.
2. Post-compromise acceleration is a real category. Notes requiring high privileges (the RFC “backdoor-style” injections) still matter because they collapse the attacker’s time-to-impact once an admin account is compromised.
3. Legacy components persist, and attackers know it. Introscope and older integration tooling show up in real environments long after teams assume they’re “out of scope.” Attackers target these precisely because they sit in privileged networks and are often under-patched.

Strategically, patching must be paired with authorization hygiene (especially S_RFC), segmentation, and monitoring that treats internal abuse as a primary threat model, not an edge case.

Final Recommendations

• Patch immediately (same change window if possible):
  • Critical: 3687749, 3668679, 3694242, 3697979
  • High: 3691059, 3675151, 3688703, 3565506
• If patching must be staged:
  • Start with systems that are most reachable (Portal/BC/Fiori exposed to remote networks, shared admin tooling, integration hubs).
  • Apply SAP’s explicit workaround where available (S_RFC restriction for 3687749 / FGL_BCF).
• Harden and monitor alongside patching:
  • Review RFC authorizations and destinations (SM59, S_RFC), and remove wildcards that grant broad remote invocation.
  • Tighten access to HANA network ports and ensure auditing is enabled and reviewed.
  • Reduce attack surface for admin tooling (Introscope) and restrict it to admin-only network segments.

Patching closes the immediate vulnerabilities. Defense-in-depth – least privilege, constrained RFC trust, segmented admin tooling, and meaningful logging – determines whether the next credential theft becomes a contained incident or a landscape compromise.