SAP

Multiple high-severity vulnerabilities discovered in various SAP products, including SQL injection (SQLi), remote indirect code injection (XSS), and security policy bypasses, could allow unauthenticated attackers to compromise sensitive enterprise systems by June 2026.

Multiple vulnerabilities in SAP software could allow an attacker to perform SQL injection, gain elevated privileges, execute arbitrary code, bypass security measures, perform cross-site scripting attacks, manipulate data, disclose sensitive information, or cause other unspecified impacts.

The Shai-Hulud malware was used in a large-scale software supply-chain attack compromising hundreds of packages across open-source software ecosystems by compromising developer secrets and CI/CD pipelines.

CVE-2026-34259 is an OS Command Execution vulnerability in SAP Forecasting & Replenishment that allows an authenticated attacker with administrative privileges to execute arbitrary OS commands, potentially leading to complete system compromise.

SAP Commerce Cloud is vulnerable to unauthenticated malicious configuration upload and code injection due to improper Spring Security configuration, resulting in arbitrary server-side code execution.

SAP S/4HANA (SAP Enterprise Search for ABAP) is vulnerable to SQL injection (CVE-2026-34260) via user-controlled input, allowing an authenticated attacker to inject malicious SQL statements, leading to unauthorized data access and potential application crashes.

Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.

The Mini Shai-Hulud campaign injected malicious code into SAP NPM packages, targeting credentials and cloud secrets related to SAP Cloud Application Programming (CAP) and SAP cloud deployment workflows, exfiltrating data through public GitHub repositories.

Multiple official SAP npm packages were compromised via a supply chain attack, likely by TeamPCP, to steal credentials and authentication tokens from developers' systems.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.