SAP released 15 new security notes on its March 2026 Patch Day, addressing a range of vulnerabilities across its product portfolio, including two critical-rated flaws that could enable remote code execution and complete system compromise.
SAP strongly urges all customers to visit its Support Portal and prioritize patch application to safeguard their SAP landscapes.
The most severe flaw addressed this month is CVE-2019-17571, which carries a CVSS score of 9.8 and affects the SAP Quotation Management Insurance application (FS-QUO 800).
The vulnerability stems from an outdated Apache Log4j SocketServer component embedded in the product, a class that accepts and deserializes serialized log events without authentication, enabling an unauthenticated remote attacker to execute arbitrary code on the host system.
Despite the CVE identifier tracing back to 2019, this marks the first patch issued specifically for FS-QUO 800, highlighting how legacy components in enterprise software can remain exposed for extended periods.
The second critical issue, CVE-2026-27685 (CVSS 9.1), affects SAP NetWeaver Enterprise Portal Administration running EP-RUNTIME 7.50.
This insecure deserialization flaw allows a privileged user to upload malicious or untrusted content that, when deserialized by the server, results in a high impact on the confidentiality, integrity, and availability of the host system, effectively providing a pathway to full system control. SAP Security Note 3714585 addresses this issue.
High and Medium Severity Vulnerability
A high-severity denial-of-service vulnerability, CVE-2026-27689 (CVSS 7.7), was patched in SAP Supply Chain Management, affecting multiple SCMAPO, S4CORE, S4COREOP, and SCM versions. An authenticated, low-privileged attacker can exploit this flaw over the network to disrupt availability across impacted supply chain management components without requiring any user interaction.
Several medium-severity flaws round out the patch batch, spanning SAP’s most widely deployed platforms:
- CVE-2026-24316 (CVSS 6.4) — A Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Application Server for ABAP across SAP_BASIS versions 740 through 918, potentially allowing attackers to make unauthorized server-side requests to internal resources.
- CVE-2026-24309 (CVSS 6.4) — A missing authorization check in SAP NetWeaver AS for ABAP affecting SAP_BASIS versions 700 through 816, which could permit unauthorized data modification and disruption.
- CVE-2026-27684 (CVSS 6.4) — An SQL Injection flaw in SAP NetWeaver’s Feedback Notification component across SAP_ABA versions 700 through 816, enabling partial data exfiltration and service disruption.
- CVE-2026-0489 (CVSS 6.1) — A DOM-based Cross-Site Scripting (XSS) vulnerability in SAP Business One (Job Service) versions B1_ON_HANA 10.0 and SAP-M-BO 10.0, requiring user interaction to trigger.
Additional medium-severity patches cover missing authorization checks in SAP Business Warehouse (CVE-2026-27686), SAP S/4HANA HCM Portugal (CVE-2026-27687), SAP NetWeaver AS for ABAP (CVE-2026-27688), and SAP Solution Tools Plug-In (CVE-2026-24313).
Lower-severity fixes include insecure storage protection in SAP Customer Checkout 2.0 (CVE-2026-24311), DLL Hijacking in SAP GUI for Windows with active GuiXT (CVE-2026-24317), a denial-of-service condition tied to an outdated OpenSSL version in SAP NetWeaver AS Java’s Adobe Document Services component (CVE-2025-9230, CVE-2025-9232), and a low-severity missing authorization issue in SAP NetWeaver AS for ABAP (CVE-2026-24310).
SAP administrators should treat the two critical notes 3698553 and 3714585 as immediate priorities given the remote code execution risk they represent. Organizations running SAP NetWeaver, SAP Supply Chain Management, or SAP Business One should audit all affected version ranges and apply the corresponding security notes through the SAP Support Portal without delay.
SAP Patch Day occurs on the second Tuesday of each month, and maintaining a structured patch management cycle aligned with this schedule remains a foundational practice for enterprise SAP security.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
