By rssfeeds-admin 
SAP urges customers to review all notes and apply fixes without delay through the SAP Support Portal.
Critical Remote Code Execution Risks
The most severe issue is a code injection vulnerability (CVE-2019-17571) in SAP Quotation Management Insurance (FS-QUO), rated Critical with a CVSS score of 9.8.
It leverages a known Apache Log4j 1.2 deserialization flaw and allows unauthenticated remote attackers to execute arbitrary code, fully compromising the confidentiality, integrity, and availability of the affected system.
A second critical note covers insecure deserialization in SAP NetWeaver Enterprise Portal Administration (CVE-2026-27685), with a CVSS score of 9.1.
In this case, a highly privileged attacker can abuse unsafe deserialization of uploaded content to achieve arbitrary code execution with cross-scope impact across the portal environment.
Beyond RCE, SAP also fixed a denial-of-service vulnerability in SAP Supply Chain Management (CVE-2026-27689, CVSS 7.7), which can allow authenticated users to disrupt system availability.
Additional medium-severity issues include server-side request forgery (SSRF) in SAP NetWeaver AS ABAP, multiple missing authorization checks across NetWeaver AS ABAP, SAP BW, S/4HANA HCM Portugal, ERP HCM Portugal, and SAP Solution Tools Plug-In (ST-PI).
Further notes address SQL injection in SAP NetWeaver Feedback Notification (CVE-2026-27684), DOM-based XSS in SAP Business One Job Service (CVE-2026-0489), insecure storage protection in SAP Customer Checkout 2.0, DLL hijacking in SAP GUI for Windows with GuiXT, and a denial-of-service risk due to outdated OpenSSL in SAP NetWeaver AS Java (Adobe Document Services).
SAP customers should prioritize patching the FS-QUO code injection and NetWeaver Enterprise Portal insecure deserialization vulnerabilities, as both can be used to gain remote code execution and complete system compromise.
Security and basis teams should then address the remaining high and medium notes, focusing on internet-facing systems, business-critical modules, and environments where attackers could chain authorization, injection, and deserialization flaws for lateral movement.
All fixes and implementation guidance are available through the SAP Security Notes & News section of the SAP Support Portal.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post SAP Releases Security Update to Patch Multiple Remote Code Execution Vulnerabilities appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.