SAP ships March 2026 patches for critical flaws that can lead to code execution
5 min. read 
Published on
SAP has released 15 new security notes for March 2026, and two of them fix critical vulnerabilities that could let attackers take control of affected systems. SAP says customers should visit the Support Portal and apply patches as a priority to protect their SAP landscape.
The most urgent issue in this batch is CVE-2019-17571, a critical code injection vulnerability with a CVSS score of 9.8 in SAP Quotation Management Insurance application, FS-QUO 800. SAP lists it under Security Note 3698553.
The second critical flaw is CVE-2026-27685, an insecure deserialization issue in SAP NetWeaver Enterprise Portal Administration, EP-RUNTIME 7.50. SAP rates it 9.1 and addresses it in Security Note 3714585.
This month’s release also includes one high-severity vulnerability and eleven medium-severity issues, plus one low-severity flaw. That makes March lighter than some recent SAP Patch Days, but the two critical notes still demand immediate attention from admins.
What the critical SAP flaws do
SAP says CVE-2019-17571 affects FS-QUO 800 and stems from a Log4j SocketServer issue. Heise notes that the vulnerable class deserializes untrusted data and can be abused from the network to inject and execute malicious code.
Even though the CVE dates back to 2019, SAP’s March 2026 bulletin shows that FS-QUO 800 received a patch for it now. That matters because older third-party components can remain exposed inside enterprise software long after a CVE first appears. This is an inference based on SAP’s March note and the age of the CVE.
The second critical issue, CVE-2026-27685, affects SAP NetWeaver Enterprise Portal Administration. Heise reports that a user with rights in the system can upload malicious or untrusted content, which the server then deserializes, creating a strong impact on confidentiality, integrity, and availability.
That means the first flaw looks more dangerous from an external code execution perspective, while the second can still open a path to full system compromise in environments where a privileged account is already available. This comparison is an inference based on SAP’s severity ratings and Heise’s description of the attack conditions.
Other vulnerabilities fixed in SAP’s March Patch Day
SAP also patched a high-severity denial-of-service flaw, CVE-2026-27689, in SAP Supply Chain Management. The issue affects several SCMAPO, S4CORE, S4COREOP, and SCM versions, and SAP rates it 7.7.
Several medium-severity fixes affect widely deployed products. These include CVE-2026-24316, a server-side request forgery issue in SAP NetWeaver Application Server for ABAP, CVE-2026-24309, a missing authorization check in SAP NetWeaver Application Server for ABAP, and CVE-2026-27684, an SQL injection vulnerability in SAP NetWeaver Feedback Notification.
SAP also fixed CVE-2026-0489, a DOM-based cross-site scripting issue in SAP Business One Job Service, along with authorization issues in SAP Business Warehouse Service API and SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal. The March bulletin also lists lower-priority fixes for SAP Customer Checkout 2.0, SAP GUI for Windows, SAP Solution Tools Plug-In, and SAP NetWeaver AS Java Adobe Document Services.
March 2026 SAP Patch Day at a glance
| Item | Details |
|---|---|
| Total new security notes | 15 |
| Critical issues | 2 |
| High-severity issues | 1 |
| Medium-severity issues | 11 |
| Low-severity issues | 1 |
| Most severe CVE | CVE-2019-17571 |
| Most severe score | 9.8 |
| Critical NetWeaver CVE | CVE-2026-27685 |
| NetWeaver score | 9.1 |
Critical notes admins should prioritize
- Security Note 3698553 for CVE-2019-17571 in SAP Quotation Management Insurance application FS-QUO 800.
- Security Note 3714585 for CVE-2026-27685 in SAP NetWeaver Enterprise Portal Administration EP-RUNTIME 7.50.
- Security Note 3719502 for CVE-2026-27689 in SAP Supply Chain Management.
What SAP admins should do now
Admins should review the March 2026 notes in SAP’s Support Portal and prioritize the two critical fixes first. SAP’s own bulletin explicitly tells customers to apply patches on priority.
Teams running SAP NetWeaver, SAP Supply Chain Management, SAP Business One, or older FS-QUO deployments should compare their installed versions against the affected ranges in the March bulletin. That step will identify whether their landscape matches the products and releases listed by SAP.
Because SAP Patch Day lands on the second Tuesday of each month, organizations should keep a structured review and deployment cycle around that schedule. Onapsis describes Patch Day as a regular process that security and basis teams should track closely, and SAP’s own archive reflects that monthly cadence.
FAQ
SAP released 15 new security notes on March 10, 2026. The company said there were no updates to previously released Patch Day notes in this batch.
The two critical issues are CVE-2019-17571 in SAP Quotation Management Insurance application FS-QUO 800 and CVE-2026-27685 in SAP NetWeaver Enterprise Portal Administration.
CVE-2019-17571 can enable code injection and remote code execution through a vulnerable Log4j SocketServer component, according to SAP’s bulletin and Heise’s summary. CVE-2026-27685 can lead to severe system compromise through insecure deserialization.
SAP’s March bulletin also includes fixes for SAP Supply Chain Management, SAP Business One Job Service, SAP Business Warehouse Service API, SAP Customer Checkout 2.0, SAP GUI for Windows, and SAP Solution Tools Plug-In.
SAP says customers should use the Support Portal and review the relevant security notes there.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages