The monthly SAP Security Patchday often feels like the myth of Sisyphus: just as you’ve pushed the boulder to the top and finished your patching cycle, you’re sent right back to the bottom to start again. Last month, many SAP customers were forced to update their SAP Kernel—a significant workload for already stretched SAP Basis teams that often requires system downtime. A prime example was Note 3600840(CVSS 9.6), which addressed critical authorization checks in RFC communication.
The “(Not) Again” Moment
This month, based on research by smarterSec, SAP is shipping Note 3674774 “[CVE-2026-0509] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform”. Once again, it carries a critical CVSS score of 9.6.
Consequently, we have to say: “Sorry (but not sorry)—you need to update your SAP Kernel release. Again.” Given the criticality, we strongly recommend implementation as a top priority.
February at a Glance
Beyond the Kernel update, the February patchday is exceptionally busy:
- 27 new patches released (plus 2 updates to previous notes).
- 7 patches specifically for SAP BusinessObjects and SAP Business One.
- HotNews Alert (Note 3697099): Rated with a near-maximum CVSS 9.9. This vulnerability allows an attacker to invoke any ABAP function module—regardless of whether it is RFC-enabled. This represents a massive attack vector.
Are your systems vulnerable?
Don’t guess—verify. The fastest way to identify missing patches and misconfigurations is a targeted assessment scan with the smarterSec Security Platform.
Stop the Sisyphus cycle. Let’s talk about how we can help you automate and optimize your patch management process.