SAP has released its March 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes two HotNews vulnerabilities with CVSS ratings up to 9.8, one High priority issue, eleven Medium priority fixes, and one Low priority update. The patches affect SAP NetWeaver, SAP Business One, SAP Supply Chain Management, SAP Business Warehouse, and other application components. Six of these vulnerabilities were identified by the RedRays research team using our ABAP Code Scanner.
15
2
1
11
1
6
Executive Summary
- Critical Code Injection: CVE-2019-17571 (CVSS 9.8) in SAP Quotation Management Insurance application (FS-QUO) leverages a known Apache Log4j 1.2 deserialization flaw, allowing unauthenticated remote code execution with complete system compromise.
- Critical Insecure Deserialization: CVE-2026-27685 (CVSS 9.1) in SAP NetWeaver Enterprise Portal Administration enables high-privileged attackers to exploit deserialization to achieve arbitrary code execution with cross-scope impact.
- Supply Chain DoS: CVE-2026-27689 (CVSS 7.7) in SAP Supply Chain Management allows authenticated attackers to cause denial of service with high availability impact.
- SQL Injection: CVE-2026-27684 (CVSS 6.4) in SAP NetWeaver Feedback Notification, discovered by RedRays, enables SQL injection attacks with cross-scope impact on confidentiality and availability.
Vulnerabilities Discovered by RedRays
Six vulnerabilities in this Patch Day were discovered by RedRays ABAP Code Scanner and responsibly disclosed to SAP through our coordinated vulnerability disclosure process.
These findings were identified using the RedRays ABAP Code Scanner - our automated static analysis tool designed to detect security issues in custom ABAP code before they reach production.
- 6.4 CVE-2026-27684 SQL Injection in SAP NetWeaver (Feedback Notification)
- 6.4 CVE-2026-24316 SSRF in SAP NetWeaver Application Server for ABAP
- 6.4 CVE-2026-24309 Missing Authorization check in SAP NetWeaver Application Server for ABAP
- 5.9 CVE-2026-27686 Missing Authorization check in SAP Business Warehouse (Service API)
- 5.0 CVE-2026-27688 Missing Authorization check in SAP NetWeaver Application Server for ABAP
- 3.5 CVE-2026-24310 Missing Authorization check in SAP NetWeaver Application Server for ABAP
Critical HotNews Vulnerabilities
Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)
Critical code injection vulnerability in SAP Quotation Management Insurance application leveraging a known Apache Log4j 1.2 deserialization flaw. Unauthenticated remote attackers can execute arbitrary code without any user interaction, leading to complete compromise of confidentiality, integrity, and availability.
Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
Critical insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration allows high-privileged attackers to inject malicious serialized objects. Successful exploitation leads to cross-scope impact with complete compromise of confidentiality, integrity, and availability across the portal environment.
High Priority Security Issues
Denial of service (DOS) in SAP Supply Chain Management
Denial of service vulnerability in SAP Supply Chain Management allows authenticated attackers to disrupt service availability with cross-scope impact. High severity threat to business continuity and supply chain operations.
Medium Priority Vulnerabilities
SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)
SQL injection vulnerability in SAP NetWeaver (Feedback Notification) allows authenticated attackers to inject malicious SQL statements, leading to cross-scope impact on confidentiality and availability of business-critical data.
Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP
Server-Side Request Forgery vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated attackers to forge requests from the server to access internal services and resources with cross-scope impact on confidentiality and integrity.
Missing Authorization check in SAP NetWeaver Application Server for ABAP
Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to bypass authorization controls with cross-scope impact on system integrity and availability.
DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service)
DOM-based Cross-Site Scripting vulnerability in SAP Business One (Job Service) allows unauthenticated attackers to inject malicious scripts through DOM manipulation, leading to cross-scope impact on confidentiality and integrity when users interact with crafted content.
Missing Authorization check in SAP Business Warehouse (Service API)
Missing authorization check in SAP Business Warehouse (Service API) allows authenticated attackers to bypass access controls under complex conditions, with impact on integrity and high impact on availability of BW services.
Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal allows high-privileged attackers to access sensitive HR data under complex conditions with cross-scope impact on confidentiality.
Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0
Insecure storage protection vulnerability in SAP Customer Checkout 2.0 allows attackers with physical access and high privileges to access protected data, with high impact on confidentiality and integrity of checkout systems.
Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
Missing authorization check in SAP Solution Tools Plug-In (ST-PI) allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.
Missing Authorization check in SAP NetWeaver Application Server for ABAP
Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to access sensitive system information with cross-scope impact on confidentiality.
DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT
DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT allows attackers to load malicious DLL files when users launch the application, leading to low impact on confidentiality, integrity, and availability.
Denial of Service due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services)
Multiple denial of service vulnerabilities due to an outdated OpenSSL version in SAP NetWeaver AS Java (Adobe Document Services) allow authenticated attackers to disrupt document processing with low impact on availability.
Low Priority Security Updates
Missing Authorization check in SAP NetWeaver Application Server for ABAP
Missing authorization check in SAP NetWeaver Application Server for ABAP allows authenticated attackers to access limited system information under complex conditions with cross-scope confidentiality impact.
