SAP urges customers to review all notes and apply fixes without delay through the SAP Support Portal.
The most severe issue is a code injection vulnerability (CVE-2019-17571) in SAP Quotation Management Insurance (FS-QUO), rated Critical with a CVSS score of 9.8.
It leverages a known Apache Log4j 1.2 deserialization flaw and allows unauthenticated remote attackers to execute arbitrary code, fully compromising the confidentiality, integrity, and availability of the affected system.
A second critical note covers insecure deserialization in SAP NetWeaver Enterprise Portal Administration (CVE-2026-27685), with a CVSS score of 9.1.
In this case, a highly privileged attacker can abuse unsafe deserialization of uploaded content to achieve arbitrary code execution with cross-scope impact across the portal environment.
Beyond RCE, SAP also fixed a denial-of-service vulnerability in SAP Supply Chain Management (CVE-2026-27689, CVSS 7.7), which can allow authenticated users to disrupt system availability.
Additional medium-severity issues include server-side request forgery (SSRF) in SAP NetWeaver AS ABAP, multiple missing authorization checks across NetWeaver AS ABAP, SAP BW, S/4HANA HCM Portugal, ERP HCM Portugal, and SAP Solution Tools Plug-In (ST-PI).
Further notes address SQL injection in SAP NetWeaver Feedback Notification (CVE-2026-27684), DOM-based XSS in SAP Business One Job Service (CVE-2026-0489), insecure storage protection in SAP Customer Checkout 2.0, DLL hijacking in SAP GUI for Windows with GuiXT, and a denial-of-service risk due to outdated OpenSSL in SAP NetWeaver AS Java (Adobe Document Services).
SAP customers should prioritize patching the FS-QUO code injection and NetWeaver Enterprise Portal insecure deserialization vulnerabilities, as both can be used to gain remote code execution and complete system compromise.
Security and basis teams should then address the remaining high and medium notes, focusing on internet-facing systems, business-critical modules, and environments where attackers could chain authorization, injection, and deserialization flaws for lateral movement.
All fixes and implementation guidance are available through the SAP Security Notes & News section of the SAP Support Portal.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post SAP Releases Security Update to Patch Multiple Remote Code Execution Vulnerabilities appeared first on Cyber Security News.
The cost of console gaming has become significantly more expensive in recent months. Sony hiked…
Ubiquiti Networks has released emergency security updates addressing five critical vulnerabilities in its UniFi OS…
A critical zero-day privilege-escalation vulnerability in the LiteSpeed User-End cPanel plugin is being actively exploited.…
A sophisticated, multi-stage intrusion campaign has been documented by Microsoft’s Defender Security Research team, in…
Anthropic’s Project Glasswing has fundamentally altered the cybersecurity landscape by demonstrating how unreleased frontier AI…
A multi-stage intrusion attack where a threat actor exploited an internet-facing F5 BIG-IP edge appliance…
This website uses cookies.