heise PlusAbo
Anzeige

SAP Patch Day: NetWeaver vulnerability allows code injection

In March, SAP addresses partly critical security vulnerabilities in various products in 15 advisories. Admins must act.

listen Print view
SAP logo next to "Warning" sign

(Image: heise medien)

2 min. read
Security
By

Admins of SAP installations will have work on Tuesday this week: SAP has released advisories for 15 vulnerabilities in the company's products. Some of these are critical vulnerabilities that allow the injection of malicious code. Prompt application of the available updates is therefore advisable.

On the March patch day overview page, SAP lists the 15 security advisories. In total, the developers classify two of the vulnerabilities as critical risk level, one as high risk, eleven as medium threat level, and one as low risk.

SAP: Critical Security Vulnerabilities

A code injection vulnerability in the SAP Quotation Management Insurance Application (FS-QUO) is based on a vulnerability in a SocketServer class in Log4j. It deserializes untrusted data and can be misused to inject and execute malicious code from the network. This is not the vulnerability known as Log4Shell, which has been occupying the internet since the end of 2021. It is even older and became publicly known in 2019 (CVE-2019-17571, CVSS 9.8, Risk “critical”).

Videos by heise

In NetWeaver Enterprise Portal Administration, there is a security vulnerability that users with rights in the system can exploit by uploading untrusted or malicious content. This content is deserialized for execution and has a “strong impact on the confidentiality, integrity, and availability of the host system,” SAP explains in the vulnerability description (CVE-2026-27685, CVSS 9.1, Risk “critical”).

An attacker can exploit a vulnerability in SAP's supply chain management for a denial-of-service (DoS) attack. By repeatedly calling an unspecified function with an excessively large loop control parameter, they can occupy massive system resources through prolonged loop executions until the system is no longer available (CVE-2026-27689, CVSS 7.7, Risk “high”).

The further security flaws with lower threat levels affect SAP NetWeaver Application Server for ABAP, SAP NetWeaver (Feedback Notification), SAP Business One (Job Service), SAP Business Warehouse (Service API), SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, SAP Customer Checkout 2.0, SAP GUI for Windows, SAP Solution Tools Plug-In (ST-PI), and SAP NetWeaver AS Java (Adobe Document Services).

In February of this year, SAP released as many as 26 security advisories for patch day. Two of them were considered critical security risks.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten