TL;DR: SAP’s March 2026 Patch Day includes 15 Security Notes, with two Critical issues spanning remotely exploitable code execution in FS-QUO and deserialization risk in Enterprise Portal Administration, plus a High-severity APO denial-of-service path, according to Pathlock. Internal trust, privileged admin surfaces, and RFC reachability remain the controls that matter most.
NHIMG editorial — based on content published by Pathlock: SAP March 2026 Security Notes and priority exposure paths
Questions worth separating out
Q: What fails when SAP admin access is too broadly distributed?
A: Broad admin access turns a vulnerability into a control-plane compromise because privileged users can reach the exact processing paths attackers need.
Q: Why do authenticated SAP users still create serious risk?
A: Authenticated access often means the attacker has already crossed the first trust boundary.
Q: How can teams tell whether SAP patching actually reduced exposure?
A: Teams should confirm more than note installation.
Practitioner guidance
- Isolate externally reachable SAP scheduler paths Place FS-QUO scheduler endpoints behind strict allowlists, remove unnecessary DMZ or partner reachability, and verify that only approved integration sources can connect.
- Re-baseline portal administration as a privileged control plane Limit Portal Administration to a minimal account set, require stronger authentication for those roles, and review every administrative upload or import path for deserialization exposure.
- Constrain RFC call paths and execution rights Review which users and technical accounts can invoke APO and related RFC functions, then remove broad execution rights and add throttling where middleware supports it.
What's in the full article
Pathlock's full analysis covers the operational detail this post intentionally leaves for the source:
- Exact SAP Note references and component-level remediation guidance for each affected product area
- Patch prioritisation notes that help Basis and application teams sequence work across FS-QUO, Enterprise Portal, and APO
- Additional low- and medium-priority notes covering authorization checks, input validation, and endpoint exposure
- Detailed hardening guidance for RFC pathways, portal admin access, and SAP host monitoring
👉 Read Pathlock’s analysis of SAP March 2026 security notes and exposure paths →
SAP March 2026 patch day: what IAM teams need to prioritise now?
Explore further
Internal trust is the real failure mode in this patch cycle. The article shows that SAP’s highest-risk notes are not internet-worm problems, but trusted internal paths that become dangerous once an attacker has reachability or privileged access. That is exactly where IAM, PAM, and NHI governance converge: the account may be authenticated, but the system still assumes it is safe. Practitioners should treat internal trust as a control boundary, not an assumption.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one exposure can become repeated operational loss.
A question worth separating out:
Q: Who is accountable when SAP interface abuse causes outage or compromise?
A: Accountability usually sits across application owners, Basis teams, IAM, and the business owner of the process. The reason is simple: interface abuse is often enabled by role design, network reachability, and weak operational monitoring working together. If one team owns only the patch and another owns the access path, both must validate the outcome.
👉 Read our full editorial: SAP March 2026 patch day shows internal trust remains fragile