Jump to the main content block
  1. Home
  2. Information Security
  3. Vulnerability Alert

【Vulnerability Alert】SAP Releases a Critical Security Advisory for Multiple Products

publish date : 2026-01-23 update date : 2026-01-23

Source: Ministry of education information & communication security contingency platform

"" "" "" 

Publication Number TACERT-ANA-2026011501014343 Publication Time 2026/01/15 13:40
Incident Type ANA-Vulnerability Alert Discovery Time
Impact Level Low  
[Subject]
【Vulnerability Alert】SAP Releases a Critical Security Advisory for Multiple Products

[Content]
Forwarded from TWCERTCC-200-202601-00000012

【CVE-2026-0501, CVSS: 9.9】This vulnerability exists in SAP S/4HANA Private Cloud and on-premise deployments (Financials – General Ledger). Due to insufficient input validation, authenticated attackers can exploit specially crafted SQL statements to read, modify, and delete backend database data.

【CVE-2026-0500, CVSS: 9.6】Due to the use of a vulnerable third-party component in SAP Wily Introscope Enterprise Manager (WorkStation), unauthenticated attackers can create malicious JNLP files accessible via public URLs. When victims click the URL, the Wily Introscope server may execute operating system commands on the victim’s computer.

【CVE-2026-0498, CVSS: 9.1】This vulnerability exists in SAP S/4HANA Private Cloud and on-premise deployments. It allows attackers with administrator privileges to inject arbitrary ABAP code or operating system commands into the system via a vulnerable RFC-enabled function module, thereby bypassing required authorization checks.

【CVE-2026-0491, CVSS: 9.1】SAP Landscape Transformation allows attackers with administrator privileges to exploit a vulnerability in an RFC-enabled function module to inject arbitrary ABAP code or operating system commands into the system, thereby bypassing required authorization checks.

【CVE-2026-0492, CVSS: 8.8】A privilege escalation vulnerability exists in the SAP HANA database, allowing attackers who possess valid user credentials to switch to other users and thereby obtain administrator privileges."

(Information Sharing Level: WHITE (Information content can be publicly disclosed)

[Affected Platform]
SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) S4CORE versions 102, 103, 104, 105, 106, 107, 108, and 109

SAP Wily Introscope Enterprise Manager (WorkStation) WILY_INTRO_ENTERPRISE version 10.8

SAP S/4HANA (Private Cloud and On-Premise) S4CORE versions 102, 103, 104, 105, 106, 107, 108, and 109

SAP Landscape Transformation DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, and 2020

SAP HANA database HDB version 2.00

[Recommended Actions]
Apply the remediation measures in accordance with the solution released on the official website:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html
[Reference]
https://www.twcert.org.tw/tw/cp-169-10634-69895-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center
Click Num:
Print