Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
March 2026 Notes
Monthly Summary and Highlights
This month the total number has been 15 notes (all new, with no updates), 12 fewer than in February. This month 2 Hot News were published, the same number as in the previous period. Regarding high-priority notes, there is 1, six fewer compared to February. Medium and low priority notes will not be reviewed, so we will provide details for a total of 3 notes (all those with a CVSS of 7 or higher).
We have a total of 15 notes for the whole month (all 15 are new and there are no updates to notes from previous months).
We will review in detail a total of 3 notes, all of them high-priority and Hot News:
-
The most critical note of the month (CVSS 9.8) is a Hot News and is related to “Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)”.
-
The next in terms of criticality (CVSS 9.1) is the second Hot News of the month and is related to “Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration”.
-
The last note we will review (CVSS 7.7) is high-priority and concerns “Denial of Service (DoS) in SAP Supply Chain Management”.
This month the most predominant type once again was “Missing Authorization Check” (6/15 in the Patch Day).
In the chart we can see the classification of the March notes, as well as the evolution and classification of the previous 5 months (only the Sec. Tuesday / Patch Day notes – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
-
Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) (3697099): An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability. A temporary workaround is available. CVSS v3 Base Score 9,9/10 [CVE-2026-0488]
-
Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (3674774): SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application. CVSS v3 Base Score 9,6/10 [CVE-2026-0509]
-
XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform (3697567): SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage. A temporary workaround is available. CVSS v3 Base Score 8,8/10 [CVE-2026-23687]
-
Denial of service (DOS) in SAP Supply Chain Management (3703092): Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected. CVSS v3 Base Score 7,7/10 [CVE-2026-23689]
-
Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) (3705882): SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. CVSS v3 Base Score 7,7/10 [CVE-2026-24322]
-
Denial of service (DOS) in SAP BusinessObjects BI Platform (3654236): SAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity. A temporary workaround is available. CVSS v3 Base Score 7,5/10 [CVE-2026-0490]
-
Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform (3678282): SAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service disruption, rendering the CMS completely unavailable. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. A temporary workaround is available. CVSS v3 Base Score 7,5/10 [CVE-2026-0485]
-
Race Condition in SAP Commerce Cloud (3692405): Under certain conditions, SAP Commerce Cloud allows an authenticated user to bypass SSL trust validation for outbound connections due to a race condition in the Eclipse Jersey library (CVE-2025-12383), leading to a High impact on confidentiality and integrity, and no impact on the availability of the application. CVSS v3 Base Score 7,4/10 [CVE-2025-12383]
-
Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform (3674246): The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application. CVSS v3 Base Score 7,3/10 [CVE-2026-0508]
Reference links
Other references, from SAP and Onapsis (March):
Resources affected
The full list of affected systems/components is as follows:
-
SAP CRM and SAP S/4HANA (Scripting Editor): S4FND 102-109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801
-
SAP NetWeaver Application Server ABAP and ABAP Platform: KRNL64NUC 7.22, KRNL64UC 7.22, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19; SAP_BASIS 700-702, 731, 740, 750-758, 804, 816, 916-918
-
SAP Supply Chain Management: SCMAPO 713, 714, SCM 700, 701, 702, 712
-
SAP Solution Tools Plug-In (ST-PI): ST-PI 2008_1_700, 2008_1_710, 740, 758
-
SAP BusinessObjects BI Platform: ENTERPRISE 430, 2025, 2027
-
SAP Commerce Cloud: HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21