Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day.
The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration.
SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue.
Initially disclosed in December 2019, it is a deserialization of untrusted data defect in Apache Log4j that could allow remote attackers to execute arbitrary code under certain conditions.
The second critical-severity bug, tracked as CVE-2026-27685 (CVSS score of 9.1), is another deserialization of untrusted data issue.
It could allow attackers to upload untrusted data that, when deserialized, could lead to code execution, denial-of-service (DoS) conditions, or privilege escalation.
The third security note released on SAP’s March 2026 Security Patch Day resolves CVE-2026-27689 (CVSS score of 7.7), a high-severity DoS bug in Supply Chain Management.
The issue allows an attacker to repeatedly call an unspecified function with an extremely large loop control parameter, eventually exhausting system resources through continuous execution.
SAP’s remaining new security notes resolve medium-severity issues in NetWeaver, Business One, Business Warehouse, S/4HANA, Customer Checkout 2.0, GUI for Windows, and Solution Tools Plug-In.
The resolved security defects include server-side request forgery (SSRF), missing authorization check, SQL injection, XSS, insecure storage protection, DLL hijacking, and DoS flaws.
SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users should update their deployments as soon as possible.
Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities
Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities
Related: Cisco Patches Critical Vulnerabilities in Enterprise Networking Products
