SAP has released security updates to address two critical security flaws that could be exploited to achieve arbitrary code execution on affected systems.
The vulnerabilities in question listed below -
- CVE-2019-17571 (CVSS score: 9.8) - A code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)
- CVE-2026-27685 (CVSS score: 9.1) - An insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration
"The application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to CVE-2019-17571," SAP security company Onapsis said. "It allows an unprivileged attacker to execute arbitrary code remotely on the server, causing high impact on confidentiality, integrity, and availability of the application."
CVE-2026-27685, on the other hand, stems from missing or insufficient validation during the deserialization of uploaded content, which could allow an attacker to upload untrusted or malicious content.
"Only the fact that an attacker requires high privileges for a successful exploit prevents the vulnerability from being tagged with a CVSS score of 10," Onapsis added.
The disclosure comes as Microsoft shipped patches for 84 vulnerabilities across products, including dozens of privilege escalation and remote code execution flaws.
On Tuesday, Adobe also announced patches for 80 vulnerabilities, four of which are critical flaws impacting Adobe Commerce and Magento Open Source that could result in privilege escalation and security feature bypass. Separately, it fixed five critical vulnerabilities in Adobe Illustrator that could pave the way for arbitrary code execution.
Elsewhere, Hewlett Packard Enterprise put out fixes for five shortcomings in Aruba Networking AOS-CX. The most severe of the flaws is CVE-2026-23813 (CVSS score: 9.8), an authentication bypass affecting the management interface.
"A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls," HPE said. "In some cases, this could enable resetting the admin password."
"Exploitation of this Aruba vulnerability potentially gives attackers full control of AOS-CX network devices and the ability to compromise an entire system undetected," Ross Filipek, CISO at Corsica Technologies, said in a statement.
"A successful compromise could lead to the disruption of network communications or the erosion of the integrity of key business services. This flaw is a reminder that vulnerabilities in network devices are becoming more common in today's hyper-connected world. When attackers gain privileged access to these devices, it puts organizations at significant risk."
Software Patches from Other Vendors
Security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- ABB
- Amazon Web Services
- AMD
- Arm
- Atlassian
- Bosch
- Broadcom (including VMware)
- Canon
- Cisco
- Commvault
- Dassault Systèmes
- Dell
- Devolutions
- Drupal
- Elastic
- F5
- Fortinet
- Fortra
- Foxit Software
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Google Pixel Watch
- Google Wear OS
- Grafana
- Hitachi Energy
- Honeywell
- HP
- HP Enterprise (including Aruba Networking and Juniper Networks)
- IBM
- Intel
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- n8n
- NVIDIA
- Palo Alto Networks
- QNAP
- Qualcomm
- Ricoh
- Samsung
- Schneider Electric
- ServiceNow
- Siemens
- SolarWinds
- Splunk
- Synology
- TP-Link
- Trend Micro
- WatchGuard
- Western Digital
- Zoom, and
- Zyxel
