SAP March 2026 Updates Patch Critical FS-QUO, NetWeaver and SCM Flaws
Take action: If you are using SAP products, review the advisory in detail. Prioritize patching the SAP Quotation Management Insurance application (FS-QUO) and NetWeaver Enterprise Portal Administration critical vulnerabilities, then the high-severity DoS flaw in Supply Chain Management. Then review the rest of the issues.
Learn More
SAP released 15 new security notes for March 2026 to fix flaws that could let attackers take over business systems. Two of these fixes address critical issues in SAP Quotation Management Insurance application (FS-QUO) and SAP NetWeaver Enterprise Portal Administration.
Vulnerabilities summary:
Critical and high severity flaws:
- CVE-2019-17571 (CVSS score 9.8) - Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO). This vulnerability affects version FS-QUO 800.
- CVE-2026-27685 (CVSS score 9.1) - Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration affecting version EP-RUNTIME 7.50.
- CVE-2026-27689 (CVSS score 7.7) - Denial of service (DOS) in SAP Supply Chain Management affecting versions SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, 109, SCM 700, 701, 702, 712.
The remaining twelve security notes resolve medium- and low-severity vulnerabilities across multiple SAP products.
Medium-severity flaws include CVE-2026-24316 (CVSS score 6.4), CVE-2026-24309 (CVSS score 6.4), and CVE-2026-27688 (CVSS score 5.0) affecting SAP NetWeaver Application Server for ABAP, CVE-2026-27684 (CVSS score 6.4) addressing a SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification), CVE-2026-0489 (CVSS score 6.1) addressing a DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service), CVE-2026-27686 (CVSS score 5.9) addressing a missing authorization check in SAP Business Warehouse (Service API), CVE-2026-27687 (CVSS score 5.8) addressing a missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, CVE-2026-24311 (CVSS score 5.6) involving an Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0, CVE-2026-24317 (CVSS score 5.0) involving DLL Hijacking in SAP GUI for Windows with active GuiXT, CVE-2026-24313 (CVSS score 5.0) addressing a missing authorization check in SAP Solution Tools Plug-In (ST-PI), and multiple vulnerabilities (CVE-2025-9230, CVE-2025-9232) (CVSS score 4.3) addressing a Denial of Service due to an Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services).
Low-severity issues include CVE-2026-24310 (CVSS score 3.5) addressing a missing authorization check in SAP NetWeaver Application Server for ABAP.
SAP does not mention if any of these vulnerabilities are being exploited in the wild. SAP advises that users check the SAP Support Portal and apply updates ASAP.
