SAP Security Patch Day – March 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As we move into March, the pace of the year is fully underway. SAP security should remain firmly on the agenda! While this month’s patch volume is lower than in February, it still serves as an important reminder that delaying security updates is never a good idea. Timely patching remains one of the most effective ways to reduce exposure to known vulnerabilities and shrink the attack surface across SAP landscapes.
This month’s SAP Security Patch Day brought 20 Security Notes (including updates and interim releases) significant enough to require careful review and prioritization. Every Patch Day introduces fixes that can affect different parts of the SAP landscape, and even a smaller release can contain notes with meaningful security impact. Below, we highlight the most relevant notes from March and explain what they could mean for your SAP environment.
SAP environments continue to grow in complexity, spanning on-premise systems, cloud services, and hybrid architectures. That makes patch management far more than a routine maintenance task. With many interconnected components and dependencies, patching can quickly become time-consuming, resource-intensive, and difficult to coordinate. Making it easier for important fixes to be overlooked. At SecurityBridge, we understand these challenges deeply. Our SecurityBridge Patch Management for SAP solution helps you identify missing patches across your SAP landscape, providing clear visibility, impact analysis, and automated implementation support. With a system-wide overview, it helps shorten patching cycles and strengthen continuous threat monitoring—supporting a more secure and resilient SAP environment throughout 2026.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain.
For this month’s release, our latest discoveries are:
- Medium priority: note 3707930 – [CVE-2026-24313] Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
Security notes - March 2026
HotNews
Let’s start with the HotNews category, SAP’s highest-priority classification. There are 2 new notes this month.
3698553 — Code Injection vulnerability in SAP Quotation Management Insurance application
A common cause of vulnerabilities is the use of underlying software libraries that contain security issues. This is exactly the case here: the relevant scheduler module uses Apache Log4j (remember that one?), which is itself vulnerable and may allow the execution of arbitrary code. The solution is to apply the patch or manually update the component; alternatively, there is also a workaround to consider. See also note 3720225.
3714585 — Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
This vulnerability is another example of an issue we have seen quite frequently lately: insecure deserialization. The patch introduces additional content validation and should be imported, as there is no workaround available. See also FAQ note 3724167.
High-Priority Notes
We have 2 High-priority notes this month. One of them, note 3697567, was updated with only minor textual changes, so we focus here on the newly released note below.
3719502— Denial of service (DOS) in SAP Supply Chain Management
This vulnerability is caused by a function module that allows uncontrolled looping, which can result in a DoS condition. The only solution is to import the patch.
Medium- and Low-Priority Notes
As is often the case, the majority of Security Notes fall into the Medium or Low category. This month, there are 15 Medium-priority notes and 1 Low-priority note. In many cases, the main recommendation is simply to patch and resolve the issue. Still, a few notes are worth highlighting below. For a full breakdown, scroll to the end of this post.
3708457 – Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0
SAP Customer Checkout is a solution that may not be widely known across the SAP customer base. It involves a local Java-based installation that stores data insecurely. New customers should make sure to use the updated version. Existing customers, meanwhile, should pay close attention to the manual steps required to enable the correct secure storage option.
3700960 – [Multiple CVEs] Denial of Service due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services)
Many customers and administrators do not realize that their SAP NetWeaver Java system often includes additional installed components. Adobe Document Services is one such component, and it is often present whether it is actively used or not. These components can easily go unnoticed and so can the related security issues. In this case, an outdated OpenSSL version (again, an underlying library) introduces a vulnerability into the system. Make sure to patch it, and while you are at it, review which components are installed and which ones are actually needed. Reducing the attack surface as much as possible is an important step toward cyber resilience.
SAP Security Notes March 2026
Highlights
A lower number of notes compared to previous months with the majority having a medium priority.
Summary by Severity
The March release contains a total of 20 patches for the following severities:
| Severity | Number | Hot News | 2 |
|---|---|
High | 2 |
Medium | 15 |
Low | 1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3698553 | [CVE-2019-17571 ] Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO) Priority: HotNews Released on: 03/10/2026 Components: FS-QUO Category: Program error | Hot News | 9.8 |
| 3714585 | [ CVE-2026-27685] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration Priority: HotNews Released on: 03/10/2026 Components: BC-PIN-PCD Category: Program error | Hot News | 9.1 |
| 3697567 | [CVE-2026-23687] XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform Priority: Correction with high priority Released on: 02/10/2026 Components: BC-SEC-WSS Category: Program error | High | 8.8 |
| 3719502 | [CVE-2026-27689] Denial of service (DOS) in SAP Supply Chain Management Priority: Correction with high priority Released on: 03/10/2026 Components: SCM-APO-INT-EXT Category: Program error | High | 7.7 |
| 3695912 | [CVE-2026-24324] Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) Priority: Correction with medium priority Released on: 02/10/2026 Components: BI-BIP-SRV Category: Program error | Medium | 6.5 |
| 3672622 | [CVE-2026-0484] Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA Priority: Correction with medium priority Released on: 02/10/2026 Components: BC-DWB-CEX-CF Category: Program error | Medium | 6.5 |
| 3703856 | [CVE-2026-24309] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-DB-ORA-CCM Category: Program error | Medium | 6.4 |
| 3697355 | [CVE-2026-27684] SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification) Priority: Correction with medium priority Released on: 03/10/2026 Components: CA-NO Category: Program error | Medium | 6.4 |
| 3689080 | [CVE-2026-24316] Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-TWB-TST-ECA Category: Program error | Medium | 6.4 |
| 3693543 | [CVE-2026-0489] DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service) Priority: Correction with medium priority Released on: 03/10/2026 Components: SBO-CRO-SEC Category: Program error | Medium | 6.1 |
| 3703385 | [CVE-2026-27686] Missing Authorization check in SAP Business Warehouse (Service API) Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-BW Category: Program error | Medium | 5.9 |
| 3701020 | [CVE-2026-27687] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Priority: Correction with medium priority Released on: 03/10/2026 Components: PY-PT Category: Program error | Medium | 5.8 |
| 3708457 | [CVE-2026-24311] Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0 Priority: Correction with medium priority Released on: 03/10/2026 Components: IS-SE-CCO Category: Program error | Medium | 5.6 |
| 3699761 | [CVE-2026-24317] DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-FES-GXT Category: Program error | Medium | 5.0 |
| 3704740 | [CVE-2026-27688] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-DB-SDB Category: Program error | Medium | 5.0 |
| 3707930 | [CVE-2026-24313] Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) Priority: Correction with medium priority Released on: 03/10/2026 Components: SV-SMG-SDD Category: Program error | Medium | 5.0 |
| 3396109 | [CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML Priority: Correction with medium priority Released on: 2/13/24 Components: BC-FES-BUS Category: Program error | Medium | 4.7 |
| 3700960 | [Multiple CVEs] Denial of Service due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services) Priority: Correction with medium priority Released on: 03/10/2026 Components: BC-SRV-FP Category: Program error | Medium | 4.3 |
| 3646297 | [CVE-2026-24314] Information Disclosure vulnerability in SAP S/4HANA (Manage Payment Media) Priority: Correction with medium priority Released on: 2/24/26 Components: FI-FIO-AP-PAY Category: Program error | Medium | 4.3 |
| 3694383 | [CVE-2026-24310] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with low priority Released on: 03/10/2026 Components: BC-DB-INF Category: Program error | Low | 3.5 |
