"The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue. Initially disclosed in December 2019, it is a deserialization of untrusted data defect in Apache Log4j (Log4Shell) that could allow remote attackers to execute arbitrary code under certain conditions."
"The second critical-severity bug, tracked as CVE-2026-27685 (CVSS score of 9.1), is another deserialization of untrusted data issue. It could allow attackers to upload untrusted data that, when deserialized, could lead to code execution, denial-of-service (DoS) conditions, or privilege escalation."
"The third security note released on SAP's March 2026 Security Patch Day resolves CVE-2026-27689 (CVSS score of 7.7), a high-severity DoS bug in Supply Chain Management. The issue allows an attacker to repeatedly call an unspecified function with an extremely large loop control parameter, eventually exhausting system resources through continuous execution."
SAP released 15 security notes during its March 2026 Security Patch Day. The most critical patches address vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. The FS-QUO vulnerability (CVE-2019-17571, CVSS 9.8) is a code injection issue stemming from Apache Log4j deserialization of untrusted data that enables remote code execution. A second critical vulnerability (CVE-2026-27685, CVSS 9.1) involves deserialization flaws allowing code execution, denial-of-service, or privilege escalation. A third high-severity issue (CVE-2026-27689, CVSS 7.7) causes denial-of-service in Supply Chain Management through resource exhaustion. Additional medium-severity patches address SSRF, authorization checks, SQL injection, XSS, and other defects across multiple SAP products. No active exploitation has been reported.
#sap-security-patches #critical-vulnerabilities #code-injection #deserialization-flaws #enterprise-security
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]