SAP Security Update – Patch for Multiple Vulnerabilities that Enable Remote Code Execution

On its March 2026 Patch Day, SAP released 15 new security notes that fixed a number of flaws in its products, including two critical-rated ones that could let someone run code remotely and take over the whole system This article explores vulnerability sap. . SAP strongly encourages all of its customers to go to its Support Portal and make patching their SAP landscapes a top priority.

CVE-2019-17571 is the most serious flaw that was fixed this month. It has a CVSS score of 9.8 and affects the SAP Quotation Management Insurance application (FS-QUO 800). The problem comes from an old Apache Log4j SocketServer component that is built into the product. This class accepts and deserializes serialized log events without authentication, which lets an attacker who is not logged in run any code on the host system.

Even though the CVE identifier goes back to 2019, this is the first patch made just for FS-QUO 800. This shows how long legacy parts of enterprise software can stay vulnerable. The second important problem, CVE-2026-27685 (CVSS 9.1), affects SAP NetWeaver Enterprise Portal Administration that is running EP-RUNTIME 7.50.

This insecure deserialization flaw lets a privileged user upload harmful or untrusted content that, when deserialized by the server, has a big effect on the host system's confidentiality, integrity, and availability. This gives the user full control over the system. This issue is covered in SAP Security Note 3714585. Vulnerability with a high or medium level of severity SAP Supply Chain Management fixed a high-severity denial-of-service vulnerability (CVE-2026-27689, CVSS 7.7) that affected several versions of SCMAPO, S4CORE, S4COREOP, and SCM.

A low-privileged attacker who is authenticated can use this flaw over the network to make affected supply chain management components unavailable without needing any user interaction. There are also a few medium-severity flaws in the patch batch that affect SAP's most popular platforms: CVE-2026-24316 (CVSS 6.4) is a Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Application Server for ABAP that affects SAP_BASIS versions 740 through 918. It could let attackers make unauthorized requests to internal resources on the server.

CVE-2026-24309 (CVSS 6.4) — There is no authorization check in SAP NetWeaver AS for ABAP for SAP_BASIS versions 700 through 816. This could allow unauthorized changes to data and disruptions.

CVE-2026-27684 (CVSS 6.4) is a SQL Injection flaw in the Feedback Notification part of SAP NetWeaver that affects SAP_ABA versions 700 through 816. It lets attackers steal some data and stop services. CVE-2026-0489 (CVSS 6.1) — A DOM-based Cross-Site Scripting (XSS) flaw in SAP Business One (Job Service) versions B1_ON_HANA 10.0 and SAP-M-BO 10.0 that needs the user to do something to work.

There are also medium-severity patches for SAP Business Warehouse (CVE-2026-27686), SAP S/4HANA HCM Portugal (CVE-2026-27687), SAP NetWeaver AS for ABAP (CVE-2026-27688), and SAP Solution Tools Plug-In (CVE-2026-24313) that fix missing authorization checks.

Some of the less serious fixes are for insecure storage protection in SAP Customer Checkout 2.0 (CVE-2026-24311), DLL hijacking in SAP GUI for Windows with active GuiXT (CVE-2026-24317), a denial-of-service condition caused by an old version of OpenSSL in SAP NetWeaver AS Java's Adobe Document Services component (CVE-2025-9230, CVE-2025-9232), and a low-severity missing authorization issue in SAP NetWeaver AS for ABAP (CVE-2026-24310). Because they pose a risk of remote code execution, SAP administrators should make the two critical notes 3698553 and 3714585 their top priorities. Companies that use SAP NetWeaver, SAP Supply Chain Management, or SAP Business One should check all affected version ranges and apply the appropriate security notes right away through the SAP Support Portal.

Every month, on the second Tuesday, SAP Patch Day takes place. Keeping a structured patch management cycle that follows this schedule is still a basic part of enterprise SAP security. Follow us on LinkedIn and X for daily cybersecurity updates.

Get in touch with us to have your stories featured.