




















System administrators are likely to have a busy February after Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed.
The zero-days are as follows:
Read more on Patch Tuesday: Microsoft Fixes Three Zero-Days on Busy Patch Tuesday.
In total this month, most CVEs disclosed by Microsoft were EoP (25), followed by remote code execution (12), spoofing (7), information disclosure (6) and security feature bypass (5).
None of the actively exploited vulnerabilities are rated critical. In fact, only five CVEs out of the 58 patched this month are critical.
Elsewhere, SAP released 26 new security “notes” yesterday, and one update to a previously released note.
The two most serious CVEs include a missing authorization check vulnerability (CVE-2026-0509) in SAP NetWeaver Application Server ABAP and ABAP Platform – which has a CVSS score of 9.6.
The second (CVE-2026-0488) is a code injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor), which has a CVSS score of 9.9.
Pathlock SAP security analyst, Jonathan Stross, explained that the affected systems are commonly used by call center agents and CRM support staff.
“A realistic attack chain could start from attackers compromising a standard CRM user through phishing, password reuse, or endpoint compromise. Then, the attacker accesses the Scripting Editor-related functionality and leverages the generic call flaw,” he continued.
“Finally, they execute unauthorized database-level actions (SQL), resulting in broad control. Once there, an attacker can compromise the database, steal or modify data, and cause operational disruption by manipulating CRM/S/4 data at the persistence layer.”
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。