Vulnerabilities SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities A code injection bug in FS-QUO and an insecure deserialization flaw in NetWeaver could lead to arbitrary code execution. By Ionut Arghire | March 10, 2026 (10:31 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day. The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue. Initially disclosed in December 2019, it is a deserialization of untrusted data defect in Apache Log4j (Log4Shell) that could allow remote attackers to execute arbitrary code under certain conditions. The second critical-severity bug, tracked as CVE-2026-27685 (CVSS score of 9.1), is another deserialization of untrusted data issue. It could allow attackers to upload untrusted data that, when deserialized, could lead to code execution, denial-of-service (DoS) conditions, or privilege escalation. Advertisement. Scroll to continue reading. The third security note released on SAP’s March 2026 Security Patch Day resolves CVE-2026-27689 (CVSS score of 7.7), a high-severity DoS bug in Supply Chain Management. The issue allows an attacker to repeatedly call an unspecified function with an extremely large loop control parameter, eventually exhausting system resources through continuous execution. SAP’s remaining new security notes resolve medium-severity issues in NetWeaver, Business One, Business Warehouse, S/4HANA, Customer Checkout 2.0, GUI for Windows, and Solution Tools Plug-In. The resolved security defects include server-side request forgery (SSRF), missing authorization check, SQL injection, XSS, insecure storage protection, DLL hijacking, and DoS flaws. SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users should update their deployments as soon as possible. Related: SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities Related: SAP’s January 2026 Security Updates Patch Critical Vulnerabilities Related: Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Related: Android Update Patches Exploited Qualcomm Zero-Day Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire ClickFix Attack Uses Windows Terminal to Evade Detection Internet Infrastructure TLD .arpa Abused in Phishing Attacks Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Over 100 GitHub Repositories Distributing BoryptGrab Stealer ArmorCode Raises $16 Million for Exposure Management Platform CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Iranian APT Hacked US Airport, Bank, Software Company Reclaim Security Raises $20 Million to Accelerate Remediation Latest News Thousands Affected by Ericsson Data Breach OpenAI Rolls Out Codex Security Vulnerability Scanner Kevin Mandia’s Armadin Launches With $190 Million in Funding Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Escape Raises $18 Million to Automate Pentesting Recent Ivanti Endpoint Manager Flaw Exploited in Attacks SIM Swaps Expose a Critical Flaw in Identity Security Cylake Raises $45 Million to Secure Organizations Barred From Cloud Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Ed Jennings has been appointed President and CEO at Darktrace. Ironscales has appointed Steven Malone as CSO and Amit Bluman as SVP of Research & Development. Synack has appointed Angela Heindl-Schober Chief Marketing Officer. More People On The Move Expert Insights SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email