SAP has released a crucial security update as part of its March 2026 Patch Day, introducing 15 new security notes to address vulnerabilities across its product suite. Among these, two critical vulnerabilities stand out, posing a risk of remote code execution and potential system compromise.
Critical Vulnerabilities Identified
This month’s update highlights two critical security issues. The first, tagged as CVE-2019-17571, affects the SAP Quotation Management Insurance application. With a CVSS score of 9.8, this flaw originates from an outdated Apache Log4j component, allowing unauthenticated remote attackers to execute arbitrary code on affected systems. Notably, this is the first patch specifically targeting FS-QUO 800 despite the CVE’s existence since 2019.
The second critical issue, CVE-2026-27685, impacts SAP NetWeaver Enterprise Portal Administration. Rated 9.1 on the CVSS scale, this vulnerability arises from insecure deserialization, enabling a privileged user to upload malicious content, potentially compromising the entire system.
High and Medium Severity Flaws
In addition to the critical vulnerabilities, SAP’s patch addresses a high-severity denial-of-service vulnerability, CVE-2026-27689, in its Supply Chain Management software. This flaw could disrupt system availability and requires immediate attention.
Several medium-severity vulnerabilities are also patched, including a server-side request forgery in SAP NetWeaver Application Server for ABAP, and missing authorization checks across various SAP products. These vulnerabilities could allow unauthorized actions or data access, posing significant risks if left unpatched.
Lower Severity Issues and Recommendations
Lower severity patches include fixes for insecure storage in SAP Customer Checkout and DLL hijacking in SAP GUI for Windows. While these are less critical, they still warrant attention to ensure comprehensive security.
SAP emphasizes the importance of applying the two critical patches immediately, particularly for organizations utilizing SAP NetWeaver, Supply Chain Management, or Business One. Regular patch management aligned with SAP’s monthly updates is essential for maintaining system security.
For further cybersecurity updates and recommendations, follow us on Google News, LinkedIn, and X. Contact us to share your stories and insights.
