Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical SQL Injection Vulnerability in SAP Products (CVE-2026-27681). Patch Immediately!
Image
Published : 14/04/2026
- Last update: 14/04/2026
- Affected software:
→ SAP Business Planning and Consolidation
. HANABPC 810, BPC4HANA 300
→ SAP Business Warehouse
. SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816- Type: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
- CVE/CVSS
→ CVE-2026-27681: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-27681
Risks
As part of its monthly Security Patch Day, SAP released 19 new security notes and one update addressing multiple vulnerabilities, including critical issues such as SQL injection, denial of service (DoS), and code injection.
Among them, CVE-2026-27681 is a critical SQL injection vulnerability affecting SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW). Successful exploitation could allow attackers to execute arbitrary SQL commands and fully compromise affected systems.
Description
CVE-2026-27681 (CVSS 9.9) is caused by insufficient authorization checks, allowing an authenticated user with low privileges to execute arbitrary SQL commands, potentially leading to unauthorised access and data manipulation.
This could result in unauthorized access to sensitive database information, modification of critical business data, and potential denial of service through data deletion or manipulation, highly impacting the confidentiality, integrity, and availability of the system.
In addition to the critical vulnerability, SAP addressed other high and medium severity vulnerabilities, including:
- CVE-2026-34256 is a high-severity vulnerability with a CVSS score of 7.1 identified in SAP ERP and SAP S/4 HANA. This flaw impacts both Private Cloud and On-Premises deployments by allowing unauthorised users to perform restricted actions.
- CVE-2025-64775 is a Denial of Service in BusinessObjects with a CVSS score of 6.5. Exploitation could disrupt critical business analytics and reporting operations.
- CVE-2026-27674 is a Code Injection in NetWeaver affecting SAP NetWeaver Application Server Java was successfully resolved.
- CVE-2026-0512 is a Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable instances with the highest priority after thorough testing.
SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-27681
SAP SE - <https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html>
SAP SE - https://me.sap.com/notes/3719353
GB hackers - https://gbhackers.com/sap-patch-day-fixes-critical-flaws/