Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN283
_____________________________________________________________________

DATE                : 10/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2026.html
_____________________________________________________________________


SAP Security Patch Day - March 2026

This post shares the information on security notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the Support Portal and applies patches on
priority to protect their SAP landscape.

On 10th of March 2026, SAP security patch day saw the release of 15
new security notes. There are no updates to previously released patch
day security notes.

Note#              Title                 Priority               CVSS

3698553   
[CVE-2019-17571] Code Injection vulnerability in SAP Quotation
Management Insurance application (FS-QUO)
Product - SAP Quotation Management Insurance application (FS-QUO)
Version(s) - FS-QUO 800
Critical
9.8

3714585
[CVE-2026-27685] Insecure Deserialization in SAP NetWeaver Enterprise
Portal Administration
Product - SAP NetWeaver Enterprise Portal Administration
Version(s) - EP-RUNTIME 7.50
Critical
9.1

3719502
[CVE-2026-27689] Denial of service (DOS) in SAP Supply Chain Management
Product - SAP Supply Chain Management
Version(s) - SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106,
107, 108, 109, SCM 700, 701, 702, 712
High
7.7

3689080
[CVE-2026-24316] Server-Side Request Forgery (SSRF) in SAP NetWeaver
Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758,
SAP_BASIS 816, SAP_BASIS 918
Medium
6.4

3703856
[CVE-2026-24309] Missing Authorization check in SAP NetWeaver Application
Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731,
SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758,
SAP_BASIS 816
Medium
6.4

3697355
[CVE-2026-27684] SQL Injection Vulnerability in SAP NetWeaver (Feedback
Notification)
Product - SAP NetWeaver (Feedback Notification)
Version(s) - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75A, 75B, 75C,
75D, 75E, 75F, 75G, 75H, 75I, 816
Medium
6.4

3693543
[CVE-2026-0489] DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP
Business One (Job Service)
Product - SAP Business One (Job Service)
Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0
Medium
6.1

3703385
[CVE-2026-27686] Missing Authorization check in SAP Business Warehouse
(Service API)
Product - SAP Business Warehouse (Service API)
Version(s) - DW4CORE 200, 300, 400, PI_BASIS 2006_1_700, 701, 702, 730, 731,
740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 816
Medium
5.9

3701020
[CVE-2026-27687] Missing Authorization check in SAP S/4HANA HCM Portugal and
SAP ERP HCM Portugal
Product - SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Version(s) - S4HCMCPT 100, 101, 102, SAP_HRCPT 600, 604, 608
Medium
5.8

3708457
[CVE-2026-24311] Insecure Storage Protection vulnerability in SAP Customer
Checkout 2.0
Product - SAP Customer Checkout 2.0
Version(s) - SAP_CUSTOMER_CHECKOUT 2.0
Medium
5.6

3699761
[CVE-2026-24317] DLL Hijacking vulnerability in SAP GUI for Windows with
active GuiXT
Product - SAP GUI for Windows with active GuiXT
Version(s) - BC-FES-GUI 8.00
Medium
5.0

3704740
[CVE-2026-27688] Missing Authorization check in SAP NetWeaver Application
Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 730,
SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752,
SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757,
SAP_BASIS 758, SAP_BASIS 816
Medium
5.0

3707930
[CVE-2026-24313] Missing Authorization check in SAP Solution Tools Plug-In
(ST-PI)
Product - SAP Solution Tools Plug-In (ST-PI)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758
Medium
5.0

3700960
[Multiple CVEs] Denial of Service due to Outdated OpenSSL Version in SAP
NetWeaver AS Java (Adobe Document Services)
Related CVEs - CVE-2025-9230, CVE-2025-9232
Product - SAP NetWeaver AS Java (Adobe Document Services)
Version(s) – ADSSAP 7.50
Medium
4.3

3694383
[CVE-2026-24310] Missing Authorization check in SAP NetWeaver Application
Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750,
SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755,
SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
Low
3.5

To know more about the security researchers and research companies who have
contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure
configuration is essential to ensuring secure operation and data integrity.
We have therefore documented security recommendations that are consolidated
in this document to help you configure the best security for your SAP
portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to
secure@sap.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================