SAP Security Notes, March 2026
Hot news note 3698553 patches a critical command injection vulnerability in Apache Log4j bundled in SAP Quotation Management Insurance. The package assembly for the FS-QUO-scheduler module of the application should be updated to a secure version. As a workaround, the Java archive file log4j-1.2.17.jar. can be deleted in the {FS-QUO-scheduler}/lib directory.
Hot news note 3714585 addresses an insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration. The vulnerability can lead to malicious remote code execution through the upload of user-supplied content. The fix in the note validates input before processing to secure deserialization logic. The fix is only available for NetWeaver AS Java 7.50. For earlier versions that are no longer maintained by SAP, please refer to note 3660659 – Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java. You can also restrict access to privileges that provide access to the vulnerable endpoint. This includes the UME group Administrators, UME role Administrator, and Portal roles super_admin_role, system_admin_role, and content_admin_role.
Note 3719502 patches a high-risk Denial of Service (DoS) vulnerability in SAP Supply Chain Management. The note applies input validation for calls to a specific vulnerable RFM to prevent excessive resource consumption. Calls to the vulnerable RFM are monitored by the Cybersecurity Extension for SAP.
The remaining 11 security notes released impact medium priority issues in various SAP products. This includes SSRF and missing authorization check vulnerabilities in SAP NetWeaver AS ABAP (notes 3689080, 3704740, and 3703856).