SAP has released security updates to address two critical security flaws that could be exploited to achieve arbitrary code execution on affected systems.
The vulnerabilities in question listed below –
- CVE-2019-17571 (CVSS score: 9.8) – A code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)
- CVE-2026-27685 (CVSS score: 9.1) – An insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration
“The application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to CVE-2019-17571,” SAP security company Onapsis said. “It allows an unprivileged attacker to execute arbitrary code remotely on the server, causing high impact on confidentiality, integrity, and availability of the application.”
CVE-2026-27685, on the other hand, stems from missing or insufficient validation during the deserialization of uploaded content, which could allow an attacker to upload untrusted or malicious content.
“Only the fact that an attacker requires high privileges for a successful exploit prevents the vulnerability from being tagged with a CVSS score of 10,” Onapsis added.
The disclosure comes as Microsoft shipped patches for 84 vulnerabilities across products, including dozens of privilege escalation and remote code execution flaws.
On Tuesday, Adobe also announced patches for 80 vulnerabilities, four of which are critical flaws impacting Adobe Commerce and Magento Open Source that could result in privilege escalation and security feature bypass. Separately, it fixed five critical vulnerabilities in Adobe Illustrator that could pave the way for arbitrary code execution.
Elsewhere, Hewlett Packard Enterprise put out fixes for five shortcomings in Aruba Networking AOS-CX. The most severe of the flaws is CVE-2026-23813 (CVSS score: 9.8), an authentication bypass affecting the management interface.
“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls,” HPE said. “In some cases, this could enable resetting the admin password.”
“Exploitation of this Aruba vulnerability potentially gives attackers full control of AOS-CX network devices and the ability to compromise an entire system undetected,” Ross Filipek, CISO at Corsica Technologies, said in a statement.
“A successful compromise could lead to the disruption of network communications or the erosion of the integrity of key business services. This flaw is a reminder that vulnerabilities in network devices are becoming more common in today’s hyper-connected world. When attackers gain privileged access to these devices, it puts organizations at significant risk.”
Software Patches from Other Vendors
Security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
