SAP Security Patch Tuesday March 2026 | Critical Vulnerabilities Demand Immediate Attention

Executive Summary

SAP released 15 Security Notes as part of the March 2026 Patch Day. Two are Critical (CVSS 9.0+) and one is High (CVSS 7.0–8.9).

This month is especially important because the top issues span full compromise risk and operational disruption:

• a remotely exploitable Log4j-based code execution path in an insurance quotation component,
• a critical deserialization weakness in Enterprise Portal Administration that can turn a privileged account into host-level control,
• a practical DoS condition in supply chain interfaces that can take planning systems offline using only standard credentials.

Key Takeaways

• If you run SAP Quotation Management Insurance (FS-QUO), prioritize Note 3698553 immediately. Treat any reachable FS-QUO scheduler endpoints as high risk until the vulnerable Log4j dependency is removed/updated.
• Enterprise Portal customers should patch Note 3714585 and re-check admin surface exposure. This is the kind of flaw that becomes catastrophic the moment a portal admin account is abused.
• SCM/APO and S/4 supply chain teams should prioritize Note 3719502. A low-privilege user with RFC reachability can drive resource exhaustion and force outages.
• Most remaining notes are authorization-check failures and input-validation issues. They are not “internet worm” problems, but they are exactly what attackers use after getting an internal foothold.
• Don’t ignore edge and endpoint components. SAP GUI with GuiXT and SAP Customer Checkout fixes are not “nice to have” in environments where endpoint compromise and physical access are realistic threats.

Critical & High-Priority Security Notes

SAP Security Note 3698553 (CVE-2019-17571) – Code Injection in SAP Quotation Management Insurance (FS-QUO)

Severity	CVSS	Stack	Component	Exposure
Critical	9.8	Java-based component (packaged with JAR dependencies; remediation involves library replacement).	SAP Quotation Management Insurance FS-QUO, specifically the FS-QUO-scheduler module.	Not typically an ABAP-facing vulnerability. Risk is driven by whether the scheduler service is reachable from untrusted networks (DMZ/integration zones) or widely accessible internally.

How Widely This Is Used

• Commonality: FS-QUO is not universal like SAP NetWeaver or S/4HANA, but it is deployed in insurance-focused landscapes where quotation and underwriting workflows are business-critical.
• Typical adopters: Insurance carriers, large brokers, and financial services organizations running SAP’s insurance quotation/underwriting capabilities.
• Internet-facing likelihood: Varies. In many deployments, quoting workflows are exposed to agents/partners through portals or integration layers, meaning the scheduler may sit in a network segment that is reachable beyond the core SAP backbone.

Nature of Vulnerability

• Root issue: The scheduler package includes an outdated Apache Log4j 1.2.17 dependency with a known remote code execution exposure (tracked as CVE-2019-17571).
• What goes wrong in practice: This is a dependency hygiene failure – an attacker can leverage known exploitation techniques against vulnerable Log4j 1.x behavior to execute server-side code when the component processes attacker-influenced data under the vulnerable library.

Attack Scenarios

• Prerequisites: No authentication required. The attacker primarily needs network reachability to the affected service path.
• Plausible path: An external attacker (or an internal attacker with network access) sends crafted traffic that triggers vulnerable Log4j behavior, resulting in arbitrary code execution under the service account on the host.
• What an attacker can achieve:
  • Establish persistent access (web shell / scheduled task / backdoor).
  • Access configuration secrets and integration credentials stored on the application host.
  • Pivot into adjacent systems used by quoting (databases, integration middleware, upstream portals).
  • Disrupt or manipulate quotation workflows (availability and integrity impacts).

Business Impact

• Operational disruption: If quotation workflows are unavailable, sales and underwriting operations stall immediately, often a direct revenue and SLA issue.
• Data exposure: Quotation systems frequently handle customer PII, premium calculations, risk data, and sometimes underwriting logic that is sensitive from a competitive and regulatory perspective.
• Downstream compromise: Once the host is compromised, attackers can target integration trust (service accounts, endpoints, credentials) to move laterally.

Mitigation and Recommendations

• Patch guidance: Implement SAP Security Note 3698553 using the provided support package patch or the documented manual corrections to replace the vulnerable Log4j component with a non-vulnerable version.
• If patching is delayed:
  • Remove the vulnerable Log4j 1.2.17 JAR from the scheduler where feasible (as per SAP’s guidance), and validate service stability.
  • Restrict network access to the scheduler hosts (firewall allowlists; remove any direct inbound exposure from DMZ/partner networks).
  • Monitor for suspicious outbound connections from FS-QUO scheduler hosts – successful exploitation frequently results in unexpected callbacks or remote fetch behavior.
• Hardening/monitoring: Treat FS-QUO scheduler systems like Tier-0 application hosts: minimal inbound exposure, tight egress control, central logging, and rapid credential rotation if compromise is suspected.

SAP Security Note 3714585 (CVE-2026-27685) – Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Severity	CVSS	Stack	Component	Exposure
Critical	9.1	SAP NetWeaver AS Java / EP Runtime	SAP NetWeaver Enterprise Portal Administration (PCD generic layer services)	The portal itself may be internet-facing, but this specific risk centers on administration capabilities, which should be internal-only and restricted to a small set of trusted users.

How Widely This Is Used

• Commonality: SAP Enterprise Portal remains present in many mature landscapes (often alongside Fiori), particularly in large enterprises with long-running portal-based workflows.
• Typical adopters: Large enterprises, public sector, and regulated industries where portal-based employee/partner self-service and legacy integrations persist.
• Internet-facing likelihood: Portal user access may be exposed, but administration endpoints should not be. Where admin access is reachable broadly, the real-world risk increases materially.

Nature of the Vulnerability

• Root issue: Insecure deserialization of uploaded/processed content. When untrusted or malicious serialized input is processed, it can be interpreted as executable object content rather than data.
• What actually breaks: The application accepts content that can reach deserialization routines without sufficient validation, enabling the potential for remote code execution at the host level.

Attack Scenarios

• Prerequisites: A privileged portal user capable of performing the relevant upload/import action. This is not a “drive-by” exploit; it is most realistic as:
  • Post-compromise escalation (attacker has stolen/admin credentials), or
  • Insider misuse.
• Plausible path: Attacker signs into Portal Administration, uploads/imports crafted content, and triggers deserialization during processing—leading to execution on the portal host.
• What an attacker could achieve:
  • Full compromise of the portal application server and its underlying OS context.
  • Access to portal configuration, connected backend destinations, and potentially authentication artifacts.
  • Lateral movement into connected SAP and non-SAP systems that trust the portal.

Business Impact

• Control-plane compromise: Portal Admin is effectively a control surface. If attackers gain code execution here, they can modify portal content, authentication flows, and integrations.
• Data and compliance risk: Portals frequently expose HR, finance, procurement, and partner data. Host compromise can become a broad data breach.
• Operational impact: Even temporary portal instability can disrupt employee and partner operations. If the portal is a gateway to business processes, this becomes a business continuity issue.

Mitigation and Recommendations

• Patch guidance: Apply the EP Runtime support package patches referenced in SAP Security Note 3714585 (SAP also points customers to an FAQ note for deserialization best practices).
• If patching is delayed:
  • Immediately restrict Portal Administration access (network allowlists/VPN-only; remove broad internal access).
  • Validate that only a minimal set of accounts has portal admin / content administration capabilities.
  • Increase monitoring around admin uploads/imports and unusual exceptions in portal logs that may signal payload processing attempts.
• Hardening/monitoring: Treat portal administration like a privileged management interface: MFA where possible, strict role assignment, and alerting on administrative changes and content imports.

SAP Security Note 3719502 (CVE-2026-27689) – Denial of Service in SAP Supply Chain Management (APO interface to external systems)

Severity	CVSS	Stack	Component	Exposure
High	7.7	ABAP, via a remote-enabled function module (RFC).	SAP Supply Chain Management / Advanced Planning and Optimization (APO), specifically the Interface to External Systems area.	This is typically internally reachable wherever RFC integrations exist, often from many hosts and service accounts. It should not be internet-facing, but internal reachability is usually broad.

How Widely This Is Used

• Commonality: APO and supply chain integration components are common in large SAP landscapes supporting complex planning and execution.
• Typical adopters: Manufacturing, automotive, retail, consumer goods, and logistics – organizations where planning availability directly affects operations.
• Internet-facing likelihood: Rare by design, but integration networks and third-party connectivity can create indirect exposure if RFC pathways are not tightly controlled.

Nature of Vulnerability

• Root issue: Uncontrolled resource consumption caused by a loop-control parameter that is not properly bounded/validated.
• What actually goes wrong: An attacker can pass an excessively large value, forcing prolonged loop execution and consuming work processes/CPU, leading to system unavailability.

Attack Scenarios

• Prerequisites: An authenticated user with regular privileges and network access to invoke the RFC-enabled function module.
  • In real incidents, the most likely sources are compromised technical RFC users or a foothold in an internal network segment with RFC reachability.
• Plausible path: Attacker repeatedly calls the affected remote-enabled function module with a large loop parameter to exhaust resources.
• What an attacker could achieve:
  • Force planning system slowdowns and outages.
  • Disrupt interface processing, potentially cascading into ERP execution failures.
  • Create a smokescreen for other activity (resource exhaustion, distracting operations, and Basis teams).

Business Impact

• Availability-driven damage: This is a straightforward operational risk. Planning outages creates immediate downstream impacts (missed planning cycles, delayed manufacturing/shipping decisions, broken SLAs).
• Cascading disruption: APO isn’t isolated; failures ripple into connected systems and processes. Even “temporary” unavailability can cause real financial loss.

Mitigation and Recommendations

• Patch guidance: Apply the correction instructions or support packages referenced in SAP Security Note 3719502 (the fix enforces strict input validation).
• If patching is delayed:
  • Constrain RFC access: review and tighten authorizations (e.g., restrict execution of the specific RFC function module; remove from broadly assigned roles).
  • Harden RFC pathways: review RFC destinations and gateway controls; ensure only expected integration points can call into the system.
  • Monitor aggressively: alert on repeated calls, abnormal runtimes, and spikes in work process utilization that align with RFC traffic patterns.
• Operational controls: Add throttling at integration layers where feasible (middleware), and ensure Basis has runbooks for rapid isolation (blocking RFC destinations) during an active DoS event.

Medium and Lower Priority Notes (Condensed)

1) Missing Authorization Checks Across ABAP, BW, and Support Tooling

A clear theme this month is authorization enforcement gaps in function modules and reports. These issues generally require authenticated access, but they are highly relevant because attackers routinely operate with stolen low-privilege accounts or compromised technical users.

Key notes:

SAP Note / CVE ID	Description
BW Service/API control gaps (3703385, CVSS 5.9)	Unauthorized actions via RFC function modules can disrupt request processing and create DoS conditions, worth prioritizing in BW-heavy landscapes.
Payroll Portugal cross-company data exposure (3701020, CVSS 5.8)	A privileged user can access sensitive data across company boundaries. The fix introduces a switchable authorization check; ensure you activate and validate the control after implementation.
NetWeaver DB-related authorization gaps (3703856, 3704740, 3694383)	Function modules can allow reading/modifying DB-related configuration/log/catalog data under insufficient checks. Impact is often “limited” on paper, but it supports attacker recon and can be abused to degrade stability.
ST-PI information disclosure (3707930, CVSS 5.0)	ST-PI is widely deployed; leaking system information is a classic enabler for follow-on attacks (target selection, version fingerprinting).

Practical takeaway: tighten RFC execution rights and validate that sensitive function modules are not executable by broad user populations or generic technical users.

2) Input Validation and Injection-Class Issues

These are a mix of web-style vulnerabilities and internal service flaws, mostly constrained by prerequisites (auth or user interaction), but still relevant in environments with exposed services.

Key notes:

SAP Note / CVE ID	Description
SSRF via a testing report in ABAP (3689080, CVSS 6.4)	Removed as part of the fix. Risk is primarily internal. An attacker who can execute arbitrary reports can exploit SSRF to pivot to internal endpoints.
SQL injection in Feedback Notification (3697355, CVSS 6.4)	Authenticated injection path via insufficiently handled input. Treat as a reminder to inventory and disable unused services/components.
DOM-based XSS in SAP Business One Job Service (3693543, CVSS 6.1)	Unauthenticated injection requires user interaction. Prioritize in Business One environments where links can be delivered to users via email/chat workflows.

Practical takeaway: reduce exposure by disabling unused services, and ensure web-facing SAP components are behind appropriate network controls and logging.

3) Third-Party Library Hygiene Still Matters

SAP Note / CVE ID	Description
Outdated OpenSSL in Adobe Document Services (3700960, CVSS 4.3)	This is an availability-focused issue. exploitation can crash ADS work processes and interrupt document processing. ADS often sits quietly until it becomes a bottleneck; patching avoids preventable outages.

Practical takeaway: treat Java stack components (Portal/ADS) as part of your patch scope, not “secondary systems.”

4) Endpoint and Physical/Branch Risk

SAP Note / CVE ID	Description
SAP GUI for Windows with GuiXT (3699761, CVSS 5.0)	DLL hijacking style issue requiring user interaction and GuiXT enabled. This is an endpoint control problem – patch and validate GuiXT usage.
SAP Customer Checkout 2.0 insecure local protection (3708457, CVSS 5.6)	Requires physical/admin-level access to the POS environment, but the impact can be high. The fix introduces improved root key handling – ensure existing customers not only patch but switch to the OS credential store configuration.

Practical takeaway: SAP security posture includes workstations and POS terminals, not only central servers.

Defender’s Perspective: What This Patch Day Tells Us

Three trends stand out:

1. “Old” dependency risks keep resurfacing in specialized SAP applications. The FS-QUO Log4j issue is a direct reminder that third-party components embedded in SAP solutions can remain vulnerable long after the CVE is public. Patch management must include industry add-ons and sidecar services, not just core S/4 and NetWeaver.
2. Internal trust boundaries remain the main battleground. Most notes this month require authentication. That’s not “lower risk”, it matches how real attackers operate after phishing, credential theft, VPN compromise, or workstation footholds. Missing authorization checks and RFC reachability are exactly what make lateral movement through SAP landscapes efficient.
3. Configuration and operational follow-through matter as much as patch application. Some fixes introduce controls that are not automatically enforced (for compatibility reasons) or require explicit configuration changes. If you apply notes but don’t validate the effective control state, you can end up with “patched but still exposed” outcomes.

Final Recommendations

Patch prioritization

Priority	Recommendation
Priority 0 (immediate)	3698553 (FS-QUO Log4j / code injection) – patch or remove the vulnerable dependency; isolate reachable scheduler hosts.
Priority 1	3714585 (Enterprise Portal Administration deserialization) – patch EP runtime and restrict admin access paths. 3719502 (SCM/APO DoS via RFC) – patch and tighten RFC authorization/monitoring.
Priority 2	Address the authorization-check cluster (BW Service API, ST-PI, DB interfaces, HCM Portugal) with a special focus on systems with broad RFC trust relationships and shared technical users.
Priority 3	Endpoint/branch fixes (SAP GUI/GuiXT, Customer Checkout) aligned with your endpoint management cycle, but don’t defer indefinitely.

Defense-in-depth beyond patching

• Reduce exposure: keep admin interfaces internal-only; remove or disable unused services; strictly control RFC pathways and destinations.
• Harden identities: enforce strong authentication for privileged users; reduce “always-on” technical accounts; rotate credentials used by integrations.
• Increase detection: monitor portal admin actions, abnormal RFC call patterns, and resource exhaustion signals (work process spikes, repeated long-running calls).

Validate the outcome

After implementation, confirm the note is effective: check component versions/patch levels, confirm any switchable checks are activated where applicable, and run a targeted regression on business-critical interfaces (quotation flows, portal admin workflows, APO external interfaces).