On March 10, 2026, SAP released its monthly Security Patch Day updates, addressing multiple vulnerabilities across its enterprise software products.
Maintaining a structured patch management cycle aligned with this monthly schedule remains a foundational practice for enterprise SAP security.
This month’s rollout includes 15 new security notes, with no updates to previously issued patches.
Administrators are strongly advised to visit the SAP Support Portal and apply these updates immediately, as the most severe flaws could allow attackers to execute remote code and completely compromise affected systems.
The most severe issue fixed this month is a critical Code Injection vulnerability in the SAP Quotation Management Insurance application (FS-QUO), tracked under CVE-2019-17571.
Carrying a maximum CVSS score of 9.8 out of 10, this flaw allows unauthenticated attackers to inject malicious code over the network, leading to remote code execution (RCE).
Another critical flaw, CVE-2026-27685, impacts the SAP NetWeaver Enterprise Portal Administration component.
With a CVSS score of 9.1, this insecure deserialization vulnerability requires high privileges but can severely impact system confidentiality, integrity, and availability if successfully exploited.
High and Medium Severity Security Risks
Alongside the critical flaws, SAP patched a high-severity Denial of Service (DoS) vulnerability (CVE-2026-27689) affecting SAP Supply Chain Management.
This issue holds a CVSS score of 7.7 and could allow attackers to disrupt critical business operations.
The update also resolves twelve medium-severity vulnerabilities and one low-severity flaw across various SAP products. Notable medium-severity issues include:
- A Server-Side Request Forgery (SSRF) in SAP NetWeaver AS for ABAP (CVE-2026-24316).
- A SQL Injection vulnerability in the Feedback Notification component of SAP NetWeaver (CVE-2026-27684).
- A DOM-based Cross-Site Scripting (XSS) bug in SAP Business One (CVE-2026-0489).
- Multiple Missing Authorization checks affecting SAP Business Warehouse, S/4HANA HCM, and NetWeaver AS for ABAP.
SAP strongly recommends that organizations prioritize patching to protect their SAP landscape. System administrators should:
- Immediately apply patches for the critical CVSS 9.0+ vulnerabilities to prevent remote code execution attacks.
- Review the SAP Support Portal for the complete list of security notes and affected product versions.
- Ensure secure configuration practices are maintained across all SAP deployments to minimize the attack surface.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
