- 51/2026
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, such as SAP NetWeaver Enterprise Portal Administration, SAP NetWeaver Application Server for ABAP, SAP NetWeaver (Feedback Notification), SAP Supply Chain Management, SAP Business One (Job Service), SAP Business Warehouse (Service API), SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, and SAP NetWeaver AS Java (Adobe Document Services).
The attacker could exploit some of these vulnerabilities to perform denial-of service attacks, conduct cross-site scripting attacks, execute SQL injection and server-side request forgery (SSRF) attacks, bypass security restrictions, hijack dynamic-link libraries (DLLs), obtain sensitive information, execute arbitrary code, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. SAP NetWeaver Enterprise Portal Administration Insecure Deserialization Vulnerability (CVE-2026-27685):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. SAP Supply Chain Management Denial of Service (DOS) Vulnerability (CVE- 2026-27689):
- CVSS: 7.7
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.