• Home
  • cyber
  • SAP: SAP Releases Security Update to Patch Multiple Remote Code Execution Vulnerabilities
cyber Vulnerability

SAP: SAP Releases Security Update to Patch Multiple Remote Code Execution Vulnerabilities

Jan 1, 2019 2 min read
SAP: SAP Releases Security Update to Patch Multiple Remote Code Execution Vulnerabilities

SAP Releases Critical Security Patches for Multiple Vulnerabilities

SAP has issued a security update addressing multiple vulnerabilities across its core platforms, including SAP NetWeaver, S/4HANA, Business One, Business Warehouse, and industry-specific applications. The patches resolve critical flaws that could enable remote code execution (RCE), denial-of-service (DoS), and unauthorized access if left unaddressed.

Critical Vulnerabilities Highlighted

  1. CVE-2019-17571 (CVSS 9.8) – A code injection flaw in SAP Quotation Management Insurance (FS-QUO), stemming from an Apache Log4j 1.2 deserialization issue. Unauthenticated attackers can exploit this to execute arbitrary code, compromising system confidentiality, integrity, and availability.
  2. CVE-2026-27685 (CVSS 9.1) – An insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration, allowing highly privileged attackers to achieve RCE with cross-scope impact.
  3. CVE-2026-27689 (CVSS 7.7) – A DoS vulnerability in SAP Supply Chain Management, enabling authenticated users to disrupt system availability.

Additional Flaws Addressed

  • Server-Side Request Forgery (SSRF) in SAP NetWeaver AS ABAP
  • Missing authorization checks in NetWeaver AS ABAP, SAP BW, S/4HANA HCM (Portugal), ERP HCM (Portugal), and SAP Solution Tools Plug-In (ST-PI)
  • SQL injection in SAP NetWeaver Feedback Notification (CVE-2026-27684)
  • DOM-based XSS in SAP Business One Job Service (CVE-2026-0489)
  • Insecure storage protection in SAP Customer Checkout 2.0
  • DLL hijacking in SAP GUI for Windows with GuiXT
  • DoS risk due to outdated OpenSSL in SAP NetWeaver AS Java (Adobe Document Services)

SAP advises customers to prioritize patching the FS-QUO and NetWeaver Enterprise Portal flaws, as they pose the highest risk of full system compromise. Security teams should then address remaining high and medium-severity issues, particularly in internet-facing and business-critical systems, to prevent potential lateral movement attacks via chained exploits.

All fixes and implementation guidance are available via the SAP Support Portal.

Source: https://cyberpress.org/sap-vulnerabilities/

SAP cybersecurity rating report: https://www.rankiteo.com/company/sap

"id": "SAP1773147083",
"linkid": "sap",
"type": "Vulnerability",
"date": "1/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology/Software',
                        'name': 'SAP',
                        'type': 'Enterprise Software Provider'}],
 'attack_vector': ['Insecure Deserialization',
                   'Missing Authorization Checks',
                   'Code Injection',
                   'Insecure Storage Protection',
                   'Outdated OpenSSL'],
 'description': 'SAP has issued a security update addressing multiple '
                'vulnerabilities across its core platforms, including SAP '
                'NetWeaver, S/4HANA, Business One, Business Warehouse, and '
                'industry-specific applications. The patches resolve critical '
                'flaws that could enable remote code execution (RCE), '
                'denial-of-service (DoS), and unauthorized access if left '
                'unaddressed.',
 'impact': {'operational_impact': ['System compromise',
                                   'Disruption of system availability',
                                   'Lateral movement attacks via chained '
                                   'exploits'],
            'systems_affected': ['SAP NetWeaver',
                                 'S/4HANA',
                                 'Business One',
                                 'Business Warehouse',
                                 'SAP Quotation Management Insurance (FS-QUO)',
                                 'SAP NetWeaver Enterprise Portal '
                                 'Administration',
                                 'SAP Supply Chain Management',
                                 'SAP NetWeaver AS ABAP',
                                 'SAP BW',
                                 'S/4HANA HCM (Portugal)',
                                 'ERP HCM (Portugal)',
                                 'SAP Solution Tools Plug-In (ST-PI)',
                                 'SAP Customer Checkout 2.0',
                                 'SAP GUI for Windows with GuiXT',
                                 'SAP NetWeaver AS Java (Adobe Document '
                                 'Services)']},
 'recommendations': ['Prioritize patching FS-QUO and NetWeaver Enterprise '
                     'Portal flaws',
                     'Address remaining high and medium-severity issues in '
                     'internet-facing and business-critical systems'],
 'references': [{'source': 'SAP Support Portal'}],
 'response': {'communication_strategy': ['Advisory issued to prioritize '
                                         'patching critical flaws'],
              'remediation_measures': ['Security patches released via SAP '
                                       'Support Portal']},
 'title': 'SAP Releases Critical Security Patches for Multiple Vulnerabilities',
 'type': ['Remote Code Execution (RCE)',
          'Denial-of-Service (DoS)',
          'Unauthorized Access',
          'Server-Side Request Forgery (SSRF)',
          'SQL Injection',
          'DOM-based XSS',
          'DLL Hijacking'],
 'vulnerability_exploited': ['CVE-2019-17571 (Apache Log4j 1.2 deserialization '
                             'issue)',
                             'CVE-2026-27685 (Insecure deserialization in SAP '
                             'NetWeaver Enterprise Portal Administration)',
                             'CVE-2026-27689 (DoS in SAP Supply Chain '
                             'Management)',
                             'CVE-2026-27684 (SQL injection in SAP NetWeaver '
                             'Feedback Notification)',
                             'CVE-2026-0489 (DOM-based XSS in SAP Business One '
                             'Job Service)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.