Executive Summary

The March 2026 Security Patch Day from SAP has brought to light two critical vulnerabilities affecting SAP FS-QUO (Quotation Management Insurance) and SAP NetWeaver Enterprise Portal Administration. These vulnerabilities, identified as CVE-2019-17571 and CVE-2026-27685, enable unauthenticated remote code execution and insecure deserialization, respectively. The exploitation of these flaws could result in full system compromise, including the loss of confidentiality, integrity, and availability of business-critical SAP environments. The vulnerabilities are particularly severe due to their reliance on widely known exploitation techniques, such as the deserialization flaw in Apache Log4j 1.2, and the central role of SAP NetWeaver in enterprise operations. Immediate patching and robust mitigation strategies are essential to prevent potential breaches and maintain operational resilience.

Technical Information

The first vulnerability, CVE-2019-17571, impacts the SAP FS-QUO application, specifically its scheduler module, which utilizes the Apache Log4j 1.2 library. This flaw arises from insecure deserialization in the Log4j SocketServer class. An attacker can remotely send a crafted serialized Java object to the vulnerable service, which, when deserialized, allows for arbitrary code execution on the SAP server. This attack vector is unauthenticated and can be exploited over the network, making it highly attractive for threat actors seeking initial access to enterprise environments. The vulnerability is addressed by SAP Security Note 3698553, which mandates an emergency patch and recommends the removal or update of Log4j 1.2 components.

The second vulnerability, CVE-2026-27685, affects SAP NetWeaver Enterprise Portal Administration (specifically EP-RUNTIME 7.50). This issue is rooted in insecure deserialization within administrative interfaces. High-privileged attackers, such as compromised administrators or malicious insiders, can inject malicious serialized objects, leading to arbitrary code execution and cross-scope compromise of the portal environment. The exploitation of this vulnerability requires administrative credentials but can be leveraged for lateral movement and persistent access once initial access is gained. SAP Security Note 3714585 provides the necessary patch, which should be applied within 24 hours of release.

Both vulnerabilities are mapped to the MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter), reflecting their use in initial access and post-exploitation scenarios. Indicators of compromise include unusual outbound connections from SAP servers, unexpected Java process spawns, new files in SAP directories, and log entries referencing serialized object errors or Log4j SocketServer activity.

Exploitation in the Wild

The exploitation landscape for these vulnerabilities is shaped by the prevalence of public proof-of-concept (PoC) exploits and the criticality of the affected SAP components. For CVE-2019-17571, public PoCs for Log4j 1.2 deserialization have been available since 2019, and similar flaws have been actively targeted in other enterprise software. While there are no confirmed public breaches specifically attributed to SAP FS-QUO as of this report, the risk remains high due to the ease of exploitation and the widespread deployment of the affected module in insurance and financial services sectors.

For CVE-2026-27685, insecure deserialization vulnerabilities in SAP NetWeaver have historically attracted the attention of advanced persistent threat (APT) groups. Although no public PoC exists for this specific CVE, the exploitation techniques are well-documented, and the attack vector aligns with methods used in previous SAP-targeted campaigns. The risk is amplified in environments where administrative interfaces are exposed beyond internal networks or where privileged credentials are insufficiently protected.

APT Groups using this vulnerability

While there is no direct attribution to specific APT groups for these exact vulnerabilities, the exploitation techniques are consistent with those employed by groups such as APT10 and APT41. These groups have a documented history of targeting SAP and other enterprise resource planning (ERP) systems using public-facing application exploits and deserialization-based code execution. Their campaigns often focus on sectors such as finance, insurance, manufacturing, and government, leveraging initial access to conduct credential theft, lateral movement, and data exfiltration. The use of MITRE ATT&CK T1190 and T1059 techniques further underscores the alignment with known APT tradecraft.

Affected Product Versions

The critical vulnerabilities addressed in the March 2026 patch cycle impact the following SAP product versions:

SAP FS-QUO (Quotation Management Insurance) is affected in version FS-QUO 800, specifically the scheduler module utilizing Apache Log4j 1.2. Organizations running this version are at risk of unauthenticated remote code execution via the Log4j deserialization flaw.

SAP NetWeaver Enterprise Portal Administration is affected in version EP-RUNTIME 7.50. The insecure deserialization vulnerability in administrative interfaces exposes environments to arbitrary code execution by high-privileged attackers.

Additional vulnerabilities patched in this cycle include denial-of-service, SQL injection, server-side request forgery, and missing authentication issues in various SAP NetWeaver and Supply Chain Management components. For a comprehensive list of affected versions, refer to the official SAP Security Notes and the references section of this report.

Workaround and Mitigation

Immediate action is required to mitigate the risks posed by these vulnerabilities. For SAP FS-QUO, organizations must apply SAP Note 3698553 without delay and remove or update all instances of Log4j 1.2 where feasible. Network access to scheduler hosts should be restricted, and monitoring for suspicious outbound connections and process activity is strongly recommended.

For SAP NetWeaver Enterprise Portal Administration, SAP Note 3714585 must be applied within 24 hours. Administrative access should be tightly controlled using network allowlists and VPN-only access, with multi-factor authentication enforced for all portal administrators. Regular monitoring of administrative actions and portal logs for anomalies is essential to detect potential exploitation attempts.

Additional best practices include enforcing strong authentication for privileged users, rotating credentials, keeping administrative interfaces internal-only, disabling unused services, and validating the effectiveness of applied patches through component version checks and workflow testing.

References

RedRays SAP Security Patch Day March 2026: https://redrays.io/blog/sap-security-patch-day-march-2026/

Pathlock SAP Patch Tuesday: https://pathlock.com/blog/security-alerts/sap-security-patch-tuesday-march-2026/

Heise SAP Patch Day: https://www.heise.de/en/news/SAP-Patch-Day-NetWeaver-vulnerability-allows-code-injection-11205113.html

NVD CVE-2019-17571: https://nvd.nist.gov/vuln/detail/CVE-2019-17571

GitHub PoC for Log4j 1.2 Deserialization: https://github.com/mbechler/marshalsec

Exploit-DB 47837: https://www.exploit-db.com/exploits/47837

SAP Support Portal – March 2026 Patch Day: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march-2026.html

SecurityBridge SAP Security Patch Day March 2026: https://securitybridge.com/blog/sap-security-patch-day-march-2026/

Rescana is here for you

At Rescana, we understand the critical importance of proactive risk management in today’s complex digital landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire supply chain and vendor ecosystem. We are committed to supporting your security teams with actionable intelligence, advanced analytics, and expert guidance to help you stay ahead of emerging threats. If you have any questions or require further assistance, our team is always available at ops@rescana.com.