wid-sec-w-2026-0647 · Published 2026-03-09 · View on BSI CERT-Bund ↗

SAP Patchday März 2026: Multiple Vulnerabilities

CVSS 9.8 CRITICAL

Risk Summary

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVEs (16)

CVE-2019-17571 CVE-2025-9230 CVE-2025-9232 CVE-2026-0489 CVE-2026-24309 CVE-2026-24310 CVE-2026-24311 CVE-2026-24313 CVE-2026-24316 CVE-2026-24317 CVE-2026-27684 CVE-2026-27685 CVE-2026-27686 CVE-2026-27687 CVE-2026-27688 CVE-2026-27689

Affected Vendors

SAP

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more