SAP Security Patch Day March 2026: Quotation, Portal, and Supply Chain Vulnerabilities

SAP’s March 2026 Security Patch Day delivered 15 new Security Notes. The release includes two critical vulnerabilities and one high-priority issue affecting core SAP components, alongside a broader set of lower-severity fixes that highlight where security weaknesses continue to emerge across complex SAP landscapes.

Compared with recent Patch Days, the March release shows a similar distribution of vulnerabilities across severity categories. The number of critical issues remains limited, yet the recurring presence of authorization and injection-related flaws continues to point to structural exposure across complex SAP landscapes.

SAPinsider maintains a continuously updated analysis tracking Security Patch Day developments throughout the year, providing a broader view of how vulnerability patterns evolve across releases and which issues are most likely to affect enterprise risk.

Vulnerabilities Across Quotation, Portal, and Supply Chain Systems

The most serious vulnerabilities in March’s release appear in components that many organizations treat as routine infrastructure.

The Code Injection vulnerability in SAP Quotation Management Insurance (FS-QUO) (CVSS 9.8) stems from an outdated Log4j dependency that enables remote execution through the quotation scheduler module. Scheduler services often sit inside automated quotation and underwriting workflows, meaning exposure can extend across connected SAP systems.

The second critical issue, the Insecure Deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration (CVSS 9.1), presents a different challenge. Enterprise Portal administration functions often sit close to identity services and integration layers, increasing potential impact where they remain active.

The month’s high-priority item, the Denial-of-Service vulnerability in SAP Supply Chain Management (CVSS 7.7), can allow excessive resource consumption through a vulnerable RFC-enabled function module. In environments where SCM or APO coordinates planning activity, outages can disrupt logistics and manufacturing operations.

Several medium- and low-priority notes address issues in widely deployed SAP platform components. These include server-side request forgery (SSRF) and missing authorization checks in SAP NetWeaver AS ABAP, along with vulnerabilities affecting SAP GUI, SAP Customer Checkout, and SAP Business One.

Security Research Highlights Risks in Privileged SAP Services

Vendor analyses of the March Patch Day release highlight a recurring pattern – weaknesses in trusted services with elevated privileges. Exposure depends on configuration, access rights, and the relationships between interconnected SAP systems.

Pathlock frames the release around three operational risks: the FS-QUO Log4j vulnerability, the Enterprise Portal deserialization flaw, and the supply chain denial-of-service issue. Its analysis emphasizes how these weaknesses map to practical attack scenarios, including remote execution through application schedulers, escalation through administrative interfaces, and planning outages triggered through RFC-enabled functions.

SecurityBridge contributed research to SAP Note 3707930, a missing authorization check in the SAP Solution Tools Plug-In (ST-PI). The finding reinforces a persistent theme in SAP environments: administrative tooling and platform services can introduce exposure when authorization boundaries are not tightly enforced.

Meanwhile, Layer Seven Security highlights technical details behind the vulnerabilities. Its advisory notes that the FS-QUO issue stems from a bundled Log4j library and that temporary mitigation can include removing the vulnerable JAR file from the scheduler module. Enterprise Portal fixes apply only to supported platform versions, requiring configuration hardening and privilege restrictions as interim safeguards.

What This Means for SAPinsiders

• Privileged SAP services remain a central attack surface. Vulnerabilities are emerging in background services and administrative modules that operate with broad system permissions. These components often bridge application, integration, and identity layers, allowing weaknesses to propagate across multiple SAP environments.
• Legacy dependencies continue to shape SAP security risk. The Log4j exposure illustrates how vulnerabilities frequently originate in bundled libraries. Enterprise systems accumulate these dependencies over long lifecycles, meaning outdated components can persist inside applications that otherwise appear stable.
• Interconnected SAP landscapes amplify localized vulnerabilities. Modern SAP environments rarely operate as isolated systems. Scheduling services, integration layers, and RFC-enabled modules often coordinate activity across finance, logistics, and planning systems, allowing localized weaknesses to disrupt broader operational workflows.

A version of this article was first published by ERP Today on March 11, 2026.