SAP has released a security update that addresses two critical security flaws that can be exploited to execute arbitrary code on affected systems.
The vulnerabilities in question are listed below –
CVE-2019-17571 (CVSS score: 9.8) – Code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO) CVE-2026-27685 (CVSS score: 9.1) – Insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration
“This application uses outdated artifacts in Apache Log4j 1.2.17 that are vulnerable to CVE-2019-17571,” said SAP security company Onapsis. “It allows an unprivileged attacker to remotely execute arbitrary code on the server, significantly impacting application confidentiality, integrity, and availability.”
CVE-2026-27685, on the other hand, could allow an attacker to upload untrusted or malicious content due to missing or insufficient validation during deserialization of uploaded content.
“Only the fact that an attacker would require elevated privileges to successfully exploit could prevent this vulnerability from being tagged with a CVSS score of 10,” Onapsis added.
The disclosure comes after Microsoft shipped patches for 84 vulnerabilities across its products, including dozens of privilege escalation and remote code execution flaws.
Adobe also announced patches for 80 vulnerabilities on Tuesday. Four of these are critical flaws affecting Adobe Commerce and Magento Open Source that could lead to privilege escalation and security feature bypass. Separately, five critical vulnerabilities in Adobe Illustrator that could pave the way to arbitrary code execution were also fixed.
Elsewhere, Hewlett Packard Enterprise published fixes for five flaws in Aruba Networking AOS-CX. The most severe flaw is CVE-2026-23813 (CVSS score: 9.8), which is an authentication bypass that affects the management interface.
“A vulnerability has been identified in the web-based management interface of AOS-CX switches that could allow an unauthenticated, remote attacker to bypass existing authentication controls,” HPE said. “In some cases, this may allow you to reset your administrator password.”
“Exploitation of this Aruba vulnerability could allow an attacker to gain complete control of an AOS-CX network device and compromise the entire system without detection,” Ross Filipek, CISO at Corsica Technologies, said in a statement.
“Successful compromise could lead to disruption of network communications and compromise of the integrity of key business services. This flaw is a reminder that vulnerabilities in network devices are becoming more common in today’s hyper-connected world. When attackers gain privileged access to these devices, they expose organizations to significant risk.”
Software patches from other vendors
Other vendors have also released security updates in the past few weeks that fix several vulnerabilities, including:
ABB Amazon Web Services AMD Arm Atlassian Bosch Broadcom (includes VMware) Canon Cisco Commvault Dassault Systèmes Dell Devolutions Drupal Elastic F5 Fortinet Fortra Foxit Software GitLab Google Android and Pixel Google Chrome Google Cloud Google Pixel Watch Google Wear OS Grafana Hitachi Energy Honeywell HP HP Enterprise (includes Aruba Networking and Juniper Networks) IBM Intel Ivanti Jenkins Lenovo Linux DistributionsAlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitsubishi Electric Moxa Mozilla Firefox, Firefox ESR, and Thunderbird n8n NVIDIA Palo Alto Networks QNAP Qualcomm Ricoh Samsung Schneider Electric ServiceNow Siemens SolarWinds Splunk Synology TP-Link Trend Micro WatchGuard Western Digital WordPress Zoom, Zyxel
Source link
