SAP has launched security updates to handle two crucial security flaws that may very well be exploited to realize arbitrary code execution on affected techniques.
The vulnerabilities in query listed beneath –
- CVE-2019-17571 (CVSS rating: 9.8) – A code injection vulnerability in SAP Citation Administration Insurance coverage software (FS-QUO)
- CVE-2026-27685 (CVSS rating: 9.1) – An insecure deserialization vulnerability in SAP NetWeaver Enterprise Portal Administration
“The applying makes use of an outdated artifact of Apache Log4j 1.2.17 that’s weak to CVE-2019-17571,” SAP security firm Onapsis mentioned. “It permits an unprivileged attacker to execute arbitrary code remotely on the server, inflicting excessive influence on confidentiality, integrity, and availability of the appliance.”
CVE-2026-27685, however, stems from lacking or inadequate validation throughout the deserialization of uploaded content material, which might permit an attacker to add untrusted or malicious content material.
“Solely the truth that an attacker requires excessive privileges for a profitable exploit prevents the vulnerability from being tagged with a CVSS rating of 10,” Onapsis added.
The disclosure comes as Microsoft shipped patches for 84 vulnerabilities throughout merchandise, together with dozens of privilege escalation and distant code execution flaws.
On Tuesday, Adobe additionally introduced patches for 80 vulnerabilities, 4 of that are crucial flaws impacting Adobe Commerce and Magento Open Supply that would lead to privilege escalation and security characteristic bypass. Individually, it mounted 5 crucial vulnerabilities in Adobe Illustrator that would pave the best way for arbitrary code execution.
Elsewhere, Hewlett Packard Enterprise put out fixes for 5 shortcomings in Aruba Networking AOS-CX. Essentially the most extreme of the failings is CVE-2026-23813 (CVSS rating: 9.8), an authentication bypass affecting the administration interface.
“A vulnerability has been recognized within the web-based administration interface of AOS-CX switches that would probably permit an unauthenticated distant actor to avoid current authentication controls,” HPE mentioned. “In some instances, this might allow resetting the admin password.”
“Exploitation of this Aruba vulnerability probably provides attackers full management of AOS-CX community gadgets and the flexibility to compromise a whole system undetected,” Ross Filipek, CISO at Corsica Applied sciences, mentioned in an announcement.
“A profitable compromise might result in the disruption of community communications or the erosion of the integrity of key enterprise providers. This flaw is a reminder that vulnerabilities in community gadgets have gotten extra widespread in right this moment’s hyper-connected world. When attackers achieve privileged entry to those gadgets, it places organizations at vital threat.”
Software program Patches from Different Distributors
Safety updates have additionally been launched by different distributors over the previous few weeks to rectify a number of vulnerabilities, together with —
- ABB
- Amazon Internet Providers
- AMD
- Arm
- Atlassian
- Bosch
- Broadcom (together with VMware)
- Canon
- Cisco
- Commvault
- Dassault Systèmes
- Dell
- Devolutions
- Drupal
- Elastic
- F5
- Fortinet
- Fortra
- Foxit Software program
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Google Pixel Watch
- Google Put on OS
- Grafana
- Hitachi Power
- Honeywell
- HP
- HP Enterprise (together with Aruba Networking and Juniper Networks)
- IBM
- Intel
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Crimson Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electrical
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- n8n
- NVIDIA
- Palo Alto Networks
- QNAP
- Qualcomm
- Ricoh
- Samsung
- Schneider Electrical
- ServiceNow
- Siemens
- SolarWinds
- Splunk
- Synology
- TP-Hyperlink
- Development Micro
- WatchGuard
- Western Digital
- Zoom, and
- Zyxel
