Full Report
SAP security advisory – March 2026 monthly rollup (AV26-209)
Analysis Summary
Based on the SAP security advisory rollup for March 2026 (AV26-209), here is the summarized vulnerability information.
# Vulnerability: SAP March 2026 Monthly Security Rollup
## CVE Details
**1. Insecure Deserialization in NetWeaver**
- CVE ID: CVE-2026-27685
- CVSS Score: 9.8 (Critical)
- CWE: CWE-502 (Deserialization of Untrusted Data)
**2. Code Injection in FS-QUO**
- CVE ID: CVE-2019-17571
- CVSS Score: 9.8 (Critical)
- CWE: CWE-94 (Improper Control of Generation of Code)
**3. Denial of Service (DoS) in SCM**
- CVE ID: CVE-2026-27689
- CVSS Score: 7.5 (High)
- CWE: CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- SAP NetWeaver Enterprise Portal Administration
- SAP Quotation Management Insurance Application (FS-QUO)
- SAP Supply Chain Management (SCM)
- **Versions:**
- EP-RUNTIME 7.50
- FS-QUO 800
- Multiple SCM versions (refer to SAP Note 3719502)
- **Configurations:** Systems running the Enterprise Portal Runtime or insurance quotation modules exposed to network traffic.
## Vulnerability Description
- **CVE-2026-27685:** A critical insecure deserialization flaw in the NetWeaver Enterprise Portal Administration allows an unauthenticated attacker to execute arbitrary code by sending specially crafted serialized data.
- **CVE-2019-17571:** This refers to the inclusion of a vulnerable Log4j 1.x component (SocketServer) within the FS-QUO application, which allows for remote code execution via malicious logging events.
- **CVE-2026-27689:** A vulnerability in SAP SCM where improperly handled requests can lead to a complete exhaustion of system resources, resulting in a Denial of Service.
## Exploitation
- **Status:** PoC available for CVE-2019-17571 (publicly documented legacy flaw); CVE-2026-27685 and CVE-2026-27689 not yet reported as exploited in the wild at the time of advisory.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Critical variants)
- **Integrity:** Total (Critical variants)
- **Availability:** Total (All variants)
## Remediation
### Patches
SAP recommends applying the following Security Notes:
- **SAP Note 3714585:** Update EP-RUNTIME 7.50 to the latest patch level.
- **SAP Note 3698553:** Patch FS-QUO 800 to remove/disable the vulnerable Log4j component.
- **SAP Note 3719502:** Updates for affected SAP SCM components.
### Workarounds
- **Network Segmentation:** Isolate affected SAP NetWeaver portals from the public internet.
- **Input Filtering:** Implement WAF rules to block serialized objects (specifically Java objects) from reaching the Enterprise Portal endpoints.
## Detection
- **Indicators of Compromise:** Unusual Java process behavior; unexpected high CPU/Memory spikes in SCM modules; unauthorized file creation in NetWeaver directories.
- **Detection methods and tools:** SAP Early Watch Alert (EWA) and SAP Solution Manager Configuration Validation.
## References
- [SAP Security Patch Day - March 2026] hxxps[://]support[.]sap[.]com/en/my-support/knowledge-base/security-notes-news/march-2026[.]html
- [Canadian Centre for Cyber Security Advisory] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/sap-security-advisory-march-2026-monthly-rollup-av26-209
- [SAP Note 3698553] hxxps[://]me[.]sap[.]com/notes/3698553
- [SAP Note 3714585] hxxps[://]me[.]sap[.]com/notes/3714585
- [SAP Note 3719502] hxxps[://]me[.]sap[.]com/notes/3719502