SAP released its latest list of January 2026 security patches this week, including 17 new patches and 2 updates. 10 are high - critical, and immediate action on these is recommended. Senior management, executives, and boards will expect that the suggested action has been taken, and all is well.
However, immediate action is easier said than done.
When patches are released, senior management, executives, and boards often assume they will all be implemented within the week, and all is well.
Unfortunately, it’s just not that simple.
Each patch is a black box of unknown changes, changes that could impact critical transactions and production stability. Security teams need to approach installation with care.
This usually means a thorough investigation of each to better understand the potential impact, followed by rigorous testing after installation.
When it comes to SAP, IT resources are limited, usually overstretched, and time-poor. Installing every patch within a week of release isn’t realistic, and it doesn’t happen, except in the rarest of circumstances.
This means that those who carry the can for security breaches are likely living with a false reality. They believe systems are fully patched, well-secured, and that data is safe, when it may not be at all.
To communicate patching status to those who should know, a simple overview can resolve this.
All management needs to know is the following.
Delays can be for several reasons; management should know what they are. They could include things like a lack of resources, the need for extensive testing, or the level of effort means the installation needs to be scheduled to fit in with a current program of work.
However, when informed, management can report to higher-ups that the best is being done and that plans are in place to maximise security and minimise risk within current limitations.
These tools identify which patches are relevant for your systems, the specific transactions that may be impacted, and the best users to test them.
This enables SAP security teams to tabulate their patching plan based on risk, impact, and resources rather than arbitrarily by CVSS, or similar.
The benefit: You avoid unnecessary work, focus only on the patches that matter, and test smarter with less disruption to business users.
These tools help you ensure each patch is successfully applied, all remediation steps are completed, and nothing is left unchecked.
Particularly important if a third party is responsible for patching, as in SAP ERP Cloud (aka RISE) installations.
The benefit: You gain confidence and documented assurance that your systems remain secure, stable, and compliant after every patch cycle.
Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions.
From SAP Basis to SAP Security, we understand the landscape of SAP operations and infrastructure automation, and we have already done the legwork to identify the best available solutions.
We have excellent relationships with a wide range of SAP add-on third-party vendors and can negotiate an evaluation process that best suits your circumstances and budget.
Why not schedule a time to start the conversation by adding it to our calendar?