SAP Security Patch Day –March 2026
On March 10, 2026, SAP released its third Security Patch Day of the year with 15 new Security Notes and no updates to previously released notes, a sharp volume decrease from February’s 27 entries, but with a notable shift in vulnerability profile.
This release features 2 Critical-severity vulnerabilities (CVSS 9.1–9.8), 1 High-severity issue (CVSS 7.7), 11 Medium-severity problems (CVSS 4.3–6.4), and 1 Low-severity vulnerability. Unlike February, no iterative updates were released, indicating an entirely fresh batch of findings. The dominant patterns this month are Missing Authorization, again accounting for the majority of notes, alongside a concerning return of third-party component risks via outdated dependencies.
Key Highlights by Severity
Critical Priority (CVSS 9.8)
A Code Injection vulnerability in the SAP Quotation Management Insurance application (Note 3698553) stems from an outdated Apache Log4j 1.2.17 artifact bundled in the FS-QUO-scheduler module, allowing unauthenticated attackers to execute arbitrary code remotely with full impact on confidentiality, integrity, and availability. Notably, this note is tied to CVE-2019-17571, a seven-year-old CVE, highlighting the risk posed by unmanaged third-party dependencies persisting in production systems.
Critical Priority (CVSS 9.1)
An Insecure Deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration (Note 3714585) allows a privileged user to upload malicious content that, upon deserialization, results in full system compromise with high impact on confidentiality, integrity, and availability. No workaround is available; remediation requires applying the referenced Support Packages for EP-RUNTIME 7.50.
Critical Priority (CVSS 9.6)
A Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform (Note 3674774) allows authenticated low-privileged users to perform background Remote Function Calls (bgRFC) without the required S_RFC authorization, leading to high impact on integrity and availability. Remediation requires a kernel patch across versions 7.22 through 9.19 and the explicit activation of profile parameter rfc/authCheckInPlayback = 2.
High Priority (CVSS 7.7)
A Denial of Service vulnerability in SAP Supply Chain Management (Note 3719502) mirrors the pattern seen in February (Note 3703092): an authenticated user with standard privileges can invoke an RFC-enabled function module with an excessively large loop-control parameter, exhausting system resources and causing unavailability. No workaround is available.
Key Affected Components
SAP NetWeaver Application Server for ABAP: Four notes target this platform — an SSRF vulnerability (Note 3689080, CVSS 6.4) via a debug ABAP report left in production, a Missing Authorization check enabling unauthorized database configuration writes (Note 3703856, CVSS 6.4), a second Missing Authorization note (Note 3704740, CVSS 5.0), and a Low-severity Missing Authorization note (Note 3694383), confirming NetWeaver AS ABAP as the most persistently targeted component of 2026.
SAP NetWeaver (broader stack): A SQL Injection in the Feedback Notification Service (Note 3697355, CVSS 6.4) across SAP_ABA 700–816, and a DoS via outdated OpenSSL in AS Java Adobe Document Services (Note 3700960, CVSS 4.3) involving two related CVEs (CVE-2025-9230 and CVE-2025-9232), adding third-party library risk to the NetWeaver Java tier.
SAP Supply Chain Management: One High-severity DoS note (Note 3719502) affecting SCMAPO, SCM, and S4CORE/S4COREOP versions, repeating the exact attack pattern from February’s Note 3703092 and suggesting incomplete remediation coverage across the SCM landscape.
SAP Solution Tools Plug-In (ST-PI), SAP Business Warehouse, SAP S/4HANA HCM, SAP Business One, SAP Customer Checkout, SAP GUI for Windows: Each contributes one note, reflecting continued broad ecosystem exposure across both on-premise and niche product lines. The DLL Hijacking in SAP GUI for Windows with active GuiXT (Note 3699761, CVSS 5.0) stands out as a client-side attack vector, a less common but persistent risk in desktop-heavy landscapes.
Notable Trends
1 – Missing Authorization Remains the Dominant Class With at least 5 notes involving missing or insufficient authorization checks across NetWeaver, Business Warehouse, HCM, ST-PI, and S/4HANA, March continues the 2026 pattern established in January and February. The recurrence across all three months of the year signals that authorization gap remediation is still far from complete across SAP’s product portfolio.
2 – Third-Party Dependency Risk Returns The highest-CVSS note this month (Note 3698553, CVSS 9.8) is rooted not in SAP code, but in a bundled Apache Log4j 1.2.17 artifact, a vulnerability disclosed in 2019 still present in a production module in 2026. The co-occurrence of an outdated OpenSSL vulnerability in Adobe Document Services (Note 3700960) further reinforces that unmanaged third-party components represent a structural risk in SAP landscapes.
3 – Supply Chain Management DoS Recurs February and March share an identical attack pattern: an authenticated user invoking an RFC-enabled function module with oversized loop parameters to cause DoS in Supply Chain Management. While the CVEs differ, the root cause, RFC-exposed modules without input validation, is identical, suggesting that the February fix may not have covered all affected versions or modules.
4 – SSRF Introduced by Debug/Test Code The SSRF vulnerability in SAP NetWeaver AS ABAP (Note 3689080) stems from an ABAP report created for testing purposes that was never removed from productive systems, allowing authenticated users to send HTTP requests to arbitrary internal endpoints. This pattern, development artifacts lingering in production, is a recurring hardening gap across SAP landscapes.
5 – Client-Side Attack Vector via DLL Hijacking The DLL Hijacking note targeting SAP GUI for Windows with active GuiXT (Note 3699761) is a reminder that client-side components remain an underappreciated attack surface. While CVSS 5.0 reflects limited direct impact, DLL hijacking in widely deployed desktop clients can serve as a lateral movement enabler in endpoint-focused attack chains.
6 – Volume Drop, No Updates March’s 15 notes represent a 44% decrease from February’s 27, and the absence of any iterative updates contrasts with the broader 2026 trend of active re-releases. While this may suggest a lower-pressure month, the two Critical notes, especially the unauthenticated Log4j-based RCE, demand the same urgency as higher-volume months.
The botton line
March 2026’s release requires focused, prioritized action across all SAP environments:
- Emergency Patching for both Critical notes: Log4j-based Code Injection in FS-QUO (Note 3698553), especially urgent given the unauthenticated attack vector, and Insecure Deserialization in NetWeaver Enterprise Portal (Note 3714585), for which no workaround exists.
- Supply Chain Management DoS Remediation for Note 3719502, extending verification to all SCMAPO, SCM, and S4CORE/S4COREOP versions to ensure February’s Note 3703092 fix did not leave residual exposure.
- NetWeaver AS ABAP Hardening across four notes covering SSRF, Missing Authorization, and SQL Injection, with particular attention to removing or restricting the debug ABAP report identified in Note 3689080 from all productive systems.
- Third-Party Dependency Audit to identify other bundled components (Log4j, OpenSSL, and similar libraries) across all SAP products running outdated versions, using Note 3698553 and Note 3700960 as reference cases.
- SAP GUI Client Hardening to address DLL Hijacking in GuiXT environments (Note 3699761), particularly in organizations with active GuiXT deployments or complex desktop configurations.
- ST-PI and BW Authorization Review covering Note 3707930 and Note 3703385 to close authorization gaps in solution tools and Business Warehouse service APIs.
March’s lower note count should not invite complacency, the presence of an unauthenticated Critical RCE rooted in a 2019 CVE is a stark reminder that legacy dependency management remains as urgent as current-cycle patching. Organizations must treat third-party component inventories with the same discipline applied to SAP kernel and basis updates.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.