SAP Releases Critical Security Patches to Address Remote Code Execution Vulnerabilities
On March 10, 2026, SAP issued 15 new security notes as part of its monthly Patch Day, addressing a spectrum of vulnerabilities across its product suite. Notably, two critical flaws have been identified that could allow remote code execution, potentially leading to full system compromise.
Critical Vulnerabilities:
1. CVE-2019-17571 (CVSS 9.8): This vulnerability affects the SAP Quotation Management Insurance application (FS-QUO 800). It originates from an outdated Apache Log4j SocketServer component embedded within the product. This component accepts and deserializes serialized log events without authentication, enabling unauthenticated remote attackers to execute arbitrary code on the host system. Despite the CVE identifier dating back to 2019, this is the first patch issued specifically for FS-QUO 800, underscoring the risks associated with legacy components in enterprise software.
2. CVE-2026-27685 (CVSS 9.1): This flaw impacts SAP NetWeaver Enterprise Portal Administration running EP-RUNTIME 7.50. It involves insecure deserialization, allowing a privileged user to upload malicious or untrusted content. When deserialized by the server, this content can severely impact the confidentiality, integrity, and availability of the host system, effectively granting full system control. SAP Security Note 3714585 addresses this issue.
High and Medium Severity Vulnerabilities:
– CVE-2026-27689 (CVSS 7.7): A high-severity denial-of-service vulnerability in SAP Supply Chain Management affects multiple versions, including SCMAPO, S4CORE, S4COREOP, and SCM. An authenticated, low-privileged attacker can exploit this flaw over the network to disrupt availability across impacted supply chain management components without requiring user interaction.
– CVE-2026-24316 (CVSS 6.4): A Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Application Server for ABAP affects SAP_BASIS versions 740 through 918. This flaw could allow attackers to make unauthorized server-side requests to internal resources.
– CVE-2026-24309 (CVSS 6.4): A missing authorization check in SAP NetWeaver AS for ABAP affects SAP_BASIS versions 700 through 816. This vulnerability could permit unauthorized data modification and disruption.
– CVE-2026-27684 (CVSS 6.4): An SQL Injection flaw in SAP NetWeaver’s Feedback Notification component affects SAP_ABA versions 700 through 816. Exploitation could lead to partial data exfiltration and service disruption.
– CVE-2026-0489 (CVSS 6.1): A DOM-based Cross-Site Scripting (XSS) vulnerability in SAP Business One (Job Service) versions B1_ON_HANA 10.0 and SAP-M-BO 10.0 requires user interaction to trigger.
Additional Medium-Severity Patches:
– CVE-2026-27686: Addresses missing authorization checks in SAP Business Warehouse.
– CVE-2026-27687: Fixes issues in SAP S/4HANA HCM Portugal.
– CVE-2026-27688: Resolves vulnerabilities in SAP NetWeaver AS for ABAP.
– CVE-2026-24313: Patches flaws in SAP Solution Tools Plug-In.
Lower-Severity Fixes:
– CVE-2026-24311: Addresses insecure storage protection in SAP Customer Checkout 2.0.
– CVE-2026-24317: Fixes DLL Hijacking in SAP GUI for Windows with active GuiXT.
– CVE-2025-9230 and CVE-2025-9232: Resolve denial-of-service conditions tied to an outdated OpenSSL version in SAP NetWeaver AS Java’s Adobe Document Services component.
– CVE-2026-24310: Patches a low-severity missing authorization issue in SAP NetWeaver AS for ABAP.
Recommendations:
SAP administrators are strongly advised to prioritize the application of patches for the two critical vulnerabilities, CVE-2019-17571 and CVE-2026-27685, due to the significant risk of remote code execution they pose. Organizations utilizing SAP NetWeaver, SAP Supply Chain Management, or SAP Business One should review the relevant security notes and implement the necessary updates promptly to protect their systems from potential exploitation.
