For the SAP Patch Day in March 2026, SAP published twenty security notes. Two are classified as HotNews.
For the monthly SAP Patch Day in March 2026, SAP released a total of 20 new and updated security notes. Two of them carry the highest warning level — HotNews — as they address critical vulnerabilities with far-reaching consequences for affected systems. An additional High Priority note highlights serious risks within SAP Supply Chain Management. Onapsis Research Labs (ORL) were involved in the discovery and reporting of one of the new vulnerabilities.
Log4j Returns: Critical Code Injection in SAP Quotation Management Insurance
The most severe vulnerability of the current Patch Day carries the identifier #3698553 and reaches a CVSS score of 9.8 — nearly the maximum rating. Affected is SAP Quotation Management Insurance (FS-QUO), which internally uses an outdated Apache Log4j artifact at version 1.2.17. This library version has long been known for the security vulnerability CVE-2019-17571.
The flaw allows an unauthenticated attacker to remotely execute arbitrary code on the affected server — without any login or permissions. The potential consequences are severe: complete loss of confidentiality, integrity, and availability of the application and the insurance data it processes. SAP strongly urges affected customers to apply the provided patch immediately.
Insecure Deserialization Threatens SAP NetWeaver Enterprise Portal
The second HotNews note (#3714585, CVSS 9.1) affects SAP NetWeaver Enterprise Portal Administration. Missing or insufficient validation during the deserialization of uploaded content allows an attacker with the appropriate administrative privileges to upload untrusted or malicious files into the system.
The CVSS score is 9.1 rather than 10.0 because a successful attack requires elevated privileges — limiting the pool of potential attackers, though this does not fundamentally diminish the severity of the vulnerability. Particularly in enterprise environments with many privileged accounts, this gap represents a substantial risk.
High Priority: Denial-of-Service Risk in SAP Supply Chain Management
Security note #3719502 (CVSS 7.7) addresses a denial-of-service vulnerability in SAP Supply Chain Management discovered by the Onapsis Research Labs. The root cause is a remotely accessible function module that executes a loop whose iteration count can be externally controlled via an input parameter.
An authenticated attacker with standard user rights can call this module repeatedly, consuming excessive system resources and potentially rendering the system completely unavailable. SAP addresses the issue by introducing a hardcoded cap of 30,000 loop iterations. The associated CVE identifier is CVE-2026-27689.
Update: XML Signature Wrapping in SAP NetWeaver ABAP
Also included in the March cycle is an updated High Priority note (#3697567, CVSS 8.8) addressing an XML signature wrapping vulnerability in SAP NetWeaver AS ABAP and the ABAP Platform. The note was originally published in February; the March update contains only minor text changes in the solution section.
Assessment and Recommended Action
The March Patch Day once again underscores how long-lived known library vulnerabilities like Log4j can be for organizations that do not consistently update their dependencies. The combination of a near-maximum CVSS score and the possibility of unauthenticated remote code execution makes the Log4j patch the most urgent measure in this cycle.
The Onapsis Research Labs continuously update the Onapsis platform to reflect newly published vulnerabilities, providing affected organizations with the best possible protection in a timely manner. SAP customers are advised to prioritize the application of all available patches and, in particular, not to defer the HotNews notes to the next maintenance window.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de