On Tuesday, SAP, a leading enterprise security company, released 15 new security notes as part of its March 2026 Security Patch Day initiative. These updates aim to address critical security vulnerabilities in their systems.
Critical Vulnerabilities in FS-QUO and NetWeaver
The most significant of these updates concern critical flaws identified in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP has highlighted a severe code injection vulnerability within FS-QUO, which is recorded as CVE-2019-17571 with a CVSS score of 9.8.
This vulnerability, initially discovered in December 2019, involves the deserialization of untrusted data in Apache Log4j, potentially allowing remote code execution under specific circumstances.
Another critical vulnerability, known as CVE-2026-27685, also involves deserialization of untrusted data. With a CVSS score of 9.1, this issue could enable attackers to introduce malicious data that, when processed, might lead to code execution or even a denial-of-service (DoS).
Additional Security Concerns Addressed
In addition to these critical vulnerabilities, SAP’s March 2026 patch includes a fix for CVE-2026-27689, a high-severity DoS vulnerability in their Supply Chain Management system. This flaw allows for the repeated execution of a function with a large loop control parameter, which can exhaust system resources.
The remaining security notes address medium-severity issues across various SAP products such as NetWeaver, Business One, Business Warehouse, S/4HANA, and others. These issues include server-side request forgery (SSRF), missing authorization checks, SQL injections, cross-site scripting (XSS), insecure storage, DLL hijacking, and DoS vulnerabilities.
Importance of Timely Updates
SAP has not reported any active exploitation of these vulnerabilities in the wild. However, users are strongly advised to update their systems promptly to mitigate potential risks.
Keeping systems updated is crucial to maintain security and prevent attackers from exploiting these vulnerabilities. Regular patching ensures that potential entry points for cyber threats are minimized, safeguarding sensitive enterprise data.
By addressing these vulnerabilities, SAP continues to reinforce its commitment to providing secure and reliable software solutions for its users worldwide.
