SAP released 15 security notes on its March 2026 Security Patch Day addressing critical, high, and medium-severity vulnerabilities across multiple products. The most severe fixes include a Log4j-related deserialization code injection (CVE-2019-17571) and another critical deserialization flaw (CVE-2026-27685), plus a high-severity Supply Chain Management DoS (CVE-2026-27689); organizations should apply updates promptly. #Log4Shell #SAP
Keypoints
- SAP published 15 new security notes as part of its March 2026 Security Patch Day.
- The FS-QUO Quotation Management issue (CVE-2019-17571) is a Log4j deserialization code injection that can enable remote code execution.
- CVE-2026-27685 is a critical deserialization flaw that may lead to code execution, denial-of-service, or privilege escalation.
- CVE-2026-27689 is a high-severity DoS in Supply Chain Management caused by resource exhaustion from an oversized loop control parameter.
- Other patches address medium-severity SSRF, missing authorization, SQL injection, XSS, insecure storage, DLL hijacking, and DoS across NetWeaver, Business One, S/4HANA, Customer Checkout, GUI for Windows, and Solution Tools Plug-In, with no known active exploitation reported.
Read More: https://www.securityweek.com/sap-patches-critical-fs-quo-netweaver-vulnerabilities/