SAP’s March 2026 Security Patch Day delivered 15 new Security Notes, including two critical vulnerabilities and one high-priority issue affecting core SAP components.
The release is smaller than February’s cycle but still touches systems that play central roles in many enterprise landscapes. Several of the most serious issues appear in components that organizations often treat as routine infrastructure.
SAPinsider maintains a continuously updated SAP Security Patch Day risk analysis that tracks developments across the year, helping readers compare vulnerabilities over time.
SAP Vulnerabilities Affecting Quotation, Portal, and Supply Chain Systems
The most serious vulnerabilities in March’s release appear in components that many organizations treat as routine infrastructure.
The Code Injection vulnerability in SAP Quotation Management Insurance (FS-QUO) (CVSS 9.8) stems from an outdated Log4j dependency that enables remote execution through the quotation scheduler module. Scheduler services often sit inside automated quotation and underwriting workflows, meaning exposure can extend across connected SAP systems.
The second critical issue, the Insecure Deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration (CVSS 9.1), presents a different challenge. Enterprise Portal administration functions often sit close to identity services and integration layers, increasing potential impact where they remain active.
The month’s high-priority item, the Denial-of-Service vulnerability in SAP Supply Chain Management (CVSS 7.7), can allow excessive resource consumption through a vulnerable RFC-enabled function module. In environments where SCM or APO coordinates planning activity, outages can disrupt logistics and manufacturing operations.
Several medium- and low-priority notes address issues in widely deployed SAP platform components. These include server-side request forgery (SSRF) and missing authorization checks in SAP NetWeaver AS ABAP, along with vulnerabilities affecting SAP GUI, SAP Customer Checkout, and SAP Business One.
Analysis
What This Means for ERP Insiders
Privilege and connectivity expand vulnerability impact. Schedulers, portals, and RFC services carry trusted access across SAP landscapes, allowing weaknesses to propagate through integrations and automated workflows.
Security Vendors Emphasize Risks in Privileged SAP Services
Vendor analyses of the March Patch Day release highlight a recurring pattern – weaknesses in trusted services with elevated privileges. Exposure depends on configuration, access rights, and the relationships between interconnected SAP systems.
Pathlock frames the release around three operational risks: the FS-QUO Log4j vulnerability, the Enterprise Portal deserialization flaw, and the supply chain denial-of-service issue. Its analysis emphasizes how these weaknesses map to practical attack scenarios, including remote execution through application schedulers, escalation through administrative interfaces, and planning outages triggered through RFC-enabled functions.
SecurityBridge contributed research to SAP Note 3707930, a missing authorization check in the SAP Solution Tools Plug-In (ST-PI). The finding reinforces a persistent theme in SAP environments: administrative tooling and platform services can introduce exposure when authorization boundaries are not tightly enforced.
Meanwhile, Layer Seven Security highlights technical details behind the vulnerabilities. Its advisory notes that the FS-QUO issue stems from a bundled Log4j library and that temporary mitigation can include removing the vulnerable JAR file from the scheduler module. Enterprise Portal fixes apply only to supported platform versions, requiring configuration hardening and privilege restrictions as interim safeguards.
Analysis
What This Means for ERP Insiders
SAP risk follows system trust relationships. Vulnerabilities inside privileged services matter most where configurations and integrations connect systems across the landscape.
About Us
ERP Today covers how ERP, cloud, and AI change the way businesses run. Our editors speak with practitioners, vendors, and analysts to surface the technology, contracts, and risks that matter for enterprise leaders.
Alongside our newsroom coverage, we run in‑person summits where ERP leaders compare notes on programs like yours, and a research practice that turns reporting like this into organization‑specific briefings and content.
