Critical Alert: SAP’s Latest Security Update Fixes 9.8 CVSS RCE and Deserialization Flaws
Do Son 
Today, 2026, SAP released its monthly security patch update, addressing 15 new security notes across its product ecosystem. This month’s update is particularly significant, featuring two Critical priority vulnerabilities that could allow remote code execution or complete system compromise if left unaddressed.
Security teams should prioritize the following two notes, both of which carry CVSS scores above 9.0:
- [CVE-2019-17571] SAP Quotation Management Insurance (FS-QUO): With a CVSS score of 9.8, this vulnerability involves an outdated SocketServer class in Log4j 1.2. Attackers can exploit this to perform deserialization of untrusted data, leading to Remote Code Execution (RCE) when the system is listening to untrusted network traffic.
- [CVE-2026-27685] SAP NetWeaver Enterprise Portal Administration: This note addresses an Insecure Deserialization flaw (CVSS 9.1). A privileged user uploading malicious content could trigger the vulnerability, resulting in a high impact on the confidentiality, integrity, and availability of the host system.
Beyond the critical fixes, several other applications received vital security update:
- Denial of Service in Supply Chain Management [CVE-2026-27689]: A High-priority (CVSS 7.7) uncontrolled resource consumption bug was identified. An authenticated attacker could repeatedly invoke a specific function with a large loop-control parameter, exhausting system resources and causing a system-wide outage.
- NetWeaver AS for ABAP: This core component received multiple updates addressing Server-Side Request Forgery (SSRF) [CVE-2026-24316], Missing Authorization Checks [CVE-2026-24309 and CVE-2026-27688], and SQL Injection in Feedback Notifications [CVE-2026-27684].
- SAP Business One (Job Service): A DOM-based Cross-Site Scripting (XSS) vulnerability [CVE-2026-0489] could allow attackers to execute malicious scripts in a user’s browser.
- DLL Hijacking in SAP GUI: Windows users with active GuiXT are advised to patch [CVE-2026-24317] to prevent attackers from executing unauthorized code via malicious DLL files.
| Priority | Count | Key Impact Areas |
| Critical | 2 |
Remote Code Execution (RCE), System Compromise |
| High | 1 |
Denial of Service (DoS) |
| Medium | 11 |
SSRF, SQL Injection, XSS, DLL Hijacking |
| Low | 1 |
Missing Authorization Check |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
