The second Tuesday of March - time for another SAP Security Patch Day. This time SAP published 20 security notes. Fewer than in February? Indeed. But there are still two critical vulnerabilities with a CVSS score above 9.0 - and one of them brings back memories many administrators would rather leave in the past.
Log4j is back on the scene. Not as a new vulnerability, but as a reminder that old technical debt can resurface at the least expected moment. Add to that an insecure deserialisation flaw in NetWeaver Portal, and we have a March picture that is hard to ignore.
March by the numbers
SAP published a total of 20 security notes, covering new fixes, updates to earlier notes, and interim releases. The priority breakdown is as follows:
🔴 Hot News (critical): 2 notes (CVSS 9.1–9.8)
🟠 High: 2 notes (CVSS 7.7–8.8)
🟡 Medium: 15 notes (CVSS 4.3–6.5)
🟢 Low: 1 note (CVSS 3.5)
Most are medium-priority fixes - but that does not mean they can be deferred. Missing authorisation checks, SQL Injection, or SSRF in a production environment are real risks that attackers are able to exploit.
Critical vulnerabilities (Hot News) - CVSS 9.0+
1. Code Injection in SAP Quotation Management Insurance (CVSS 9.8)
SAP Note 3698553 | CVE-2019-17571 | Component: FS-QUO
The highest CVSS score this month - 9.8 out of 10. The cause? The Apache Log4j library. Yes, the very same one that triggered a global-scale alert in December 2021. The scheduler module in the SAP Quotation Management Insurance application uses a vulnerable version of Log4j, allowing remote execution of arbitrary code. Resolution: immediate installation of the patch or manual update of the component. A workaround is also described in Note 3720225 - but the patch is the recommended path.
2. Insecure Deserialization in SAP NetWeaver Enterprise Portal (CVSS 9.1)
SAP Note 3714585 | CVE-2026-27685 | Component: BC-PIN-PCD
Insecure deserialisation - a category of vulnerability we have seen increasingly often in SAP over recent months. In this case, it concerns NetWeaver Portal administration. The patch introduces additional content validation and is the only resolution - no workaround exists. Technical details are in FAQ Note 3724167. If you use the NetWeaver Portal, this is priority number one.
High-priority vulnerabilities
3. XML Signature Wrapping in SAP NetWeaver AS ABAP (CVSS 8.8)
SAP Note 3697567 | CVE-2026-23687 | Component: BC-SEC-WSS
An updated note from February - text changes only, but the underlying issue remains serious. XML Signature Wrapping allows manipulation of signed XML documents, which can lead to bypassing authentication mechanisms. It affects every NetWeaver ABAP system using web services with XML signatures.
4. Denial of Service in SAP Supply Chain Management (CVSS 7.7)
SAP Note 3719502 | CVE-2026-27689 | Component: SCM-APO-INT-EXT
A function module with an uncontrolled loop - a classic error that can take down an entire SCM system. The DoS attack does not require high privileges, and the only resolution is to install the patch. Critical for organisations dependent on supply chain planning.
Medium and low priority - does not mean unimportant
15 medium-priority notes and 1 low-priority note make up the bulk of March’s Patch Day. These are precisely the fixes most often deferred “for later” - and that is a mistake. Six of them concern missing authorisation checks, which in practice means an unauthorised user could gain access to data or functions they should not be able to view. Let us look at a few selected examples:
Insecure Storage in SAP Customer Checkout 2.0 (CVSS 5.6)
SAP Note 3708457 | CVE-2026-24311 | Component: IS-SE-CCO
A lesser-known SAP solution that runs as a local Java installation and stores data insecurely. New customers should use the updated version immediately. Existing customers must manually enable the correct secure storage mechanism. Easy to overlook, yet the consequences can be painful.
Outdated OpenSSL in Adobe Document Services (CVSS 4.3)
SAP Note 3700960 | Multiple CVEs | Component: BC-SRV-FP
Adobe Document Services is a component frequently installed on a NetWeaver Java system, though not necessarily actively used. An outdated version of OpenSSL in such a “dormant” component is an ideal blind spot for an attacker. This is also a good opportunity to verify which components are actually needed - reducing the attack surface is a fundamental element of cyber resilience.
SecurityBridge discovery: Missing Authorization in ST-PI (CVSS 5.0)
SAP Note 3707930 | CVE-2026-24313 | Component: SV-SMG-SDD
It is worth noting that one of March’s vulnerabilities was discovered by the SecurityBridge research team - our partner in the field of SAP security. Missing authorisation check in SAP Solution Tools Plug-In (ST-PI) - a component present in practically every SAP system. This confirms that active security research and responsible disclosure genuinely work.
Full list of 20 security notes - March 2026
Below is the complete overview of all fixes published as part of March’s SAP Security Patch Day. Each of them deserves assessment in the context of your SAP landscape:
1. [🔴 Hot News] CVSS 9.8
Code Injection in SAP Quotation Management Insurance (FS-QUO)
SAP Note 3698553 | CVE-2019-17571
2. [🔴 Hot News] CVSS 9.1
Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
SAP Note 3714585 | CVE-2026-27685
3. [🟠 High] CVSS 8.8
XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform
SAP Note 3697567 | CVE-2026-23687
4. [🟠 High] CVSS 7.7
Denial of Service (DoS) in SAP Supply Chain Management
SAP Note 3719502 | CVE-2026-27689
5. [🟡 Medium] CVSS 6.5
Denial of Service (DoS) in SAP BusinessObjects BI Platform (AdminTools)
SAP Note 3695912 | CVE-2026-24324
6. [🟡 Medium] CVSS 6.5
Missing Authorization check in SAP NetWeaver AS ABAP and SAP S/4HANA
SAP Note 3672622 | CVE-2026-0484
7. [🟡 Medium] CVSS 6.4
Missing Authorization check in SAP NetWeaver Application Server for ABAP
SAP Note 3703856 | CVE-2026-24309
8. [🟡 Medium] CVSS 6.4
SQL Injection in SAP NetWeaver (Feedback Notification)
SAP Note 3697355 | CVE-2026-27684
9. [🟡 Medium] CVSS 6.4
Server-Side Request Forgery (SSRF) in SAP NetWeaver AS ABAP
SAP Note 3689080 | CVE-2026-24316
10. [🟡 Medium] CVSS 6.1
DOM-based Cross-Site Scripting (XSS) in SAP Business One (Job Service)
SAP Note 3693543 | CVE-2026-0489
11. [🟡 Medium] CVSS 5.9
Missing Authorization check in SAP Business Warehouse (Service API)
SAP Note 3703385 | CVE-2026-27686
12. [🟡 Medium] CVSS 5.8
Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
SAP Note 3701020 | CVE-2026-27687
13. [🟡 Medium] CVSS 5.6
Insecure Storage Protection in SAP Customer Checkout 2.0
SAP Note 3708457 | CVE-2026-24311
14. [🟡 Medium] CVSS 5.0
DLL Hijacking in SAP GUI for Windows with active GuiXT
SAP Note 3699761 | CVE-2026-24317
15. [🟡 Medium] CVSS 5.0
Missing Authorization check in SAP NetWeaver AS ABAP
SAP Note 3704740 | CVE-2026-27688
16. [🟡 Medium] CVSS 5.0
Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) - discovered by SecurityBridge!
SAP Note 3707930 | CVE-2026-24313
17. [🟡 Medium] CVSS 4.7
Cross-Site Scripting (XSS) in SAP NetWeaver Business Client for HTML
SAP Note 3396109 | CVE-2024-22128
18. [🟡 Medium] CVSS 4.3
Denial of Service - outdated OpenSSL version in SAP NetWeaver AS Java (Adobe Document Services)
SAP Note 3700960 | Multiple CVEs
19. [🟡 Medium] CVSS 4.3
Information Disclosure in SAP S/4HANA (Manage Payment Media)
SAP Note 3646297 | CVE-2026-24314
20. [🟢 Low] CVSS 3.5
Missing Authorization check in SAP NetWeaver AS ABAP
SAP Note 3694383 | CVE-2026-24310
What does this tell us?
March’s Patch Day confirms a trend we have observed over several quarters. First, vulnerable third-party libraries (Log4j, OpenSSL) remain a favoured attack vector. Second, deserialisation and missing authorisation checks are themes that keep coming back like a boomerang. Third, “dormant” components that we forget about can become the weakest link.
Does your organisation have a process that guarantees a review of every Patch Day within 48 hours of publication? If not, now is a good moment to implement one.
At SNOK, we help clients systematically manage SAP patches - from identifying missing fixes, through impact analysis, to deployment. We work with SecurityBridge, whose platform provides full visibility into the security posture of your SAP landscape and automates what has until now been a laborious manual process.
#SAPSecurity #PatchDay #SafeTuesdayWithSNOK #SecurityBridge #Cybersecurity
Would you like to see this in practice or discuss implementation for your organisation? Get in touch - we will respond within 48 hours.