SAP March 2026 patch day: what IAM teams need to prioritise now

TL;DR: SAP’s March 2026 Patch Day includes 15 Security Notes, with two Critical issues spanning remotely exploitable code execution in FS-QUO and deserialization risk in Enterprise Portal Administration, plus a High-severity APO denial-of-service path, according to Pathlock. Internal trust, privileged admin surfaces, and RFC reachability remain the controls that matter most.

NHIMG editorial — based on content published by Pathlock: SAP March 2026 Security Notes and priority exposure paths

Questions worth separating out

Q: What fails when SAP admin access is too broadly distributed?

A: Broad admin access turns a vulnerability into a control-plane compromise because privileged users can reach the exact processing paths attackers need.

Q: Why do authenticated SAP users still create serious risk?

A: Authenticated access often means the attacker has already crossed the first trust boundary.

Q: How can teams tell whether SAP patching actually reduced exposure?

A: Teams should confirm more than note installation.

Practitioner guidance

• Isolate externally reachable SAP scheduler paths Place FS-QUO scheduler endpoints behind strict allowlists, remove unnecessary DMZ or partner reachability, and verify that only approved integration sources can connect.
• Re-baseline portal administration as a privileged control plane Limit Portal Administration to a minimal account set, require stronger authentication for those roles, and review every administrative upload or import path for deserialization exposure.
• Constrain RFC call paths and execution rights Review which users and technical accounts can invoke APO and related RFC functions, then remove broad execution rights and add throttling where middleware supports it.

What's in the full article

Pathlock's full analysis covers the operational detail this post intentionally leaves for the source:

• Exact SAP Note references and component-level remediation guidance for each affected product area
• Patch prioritisation notes that help Basis and application teams sequence work across FS-QUO, Enterprise Portal, and APO
• Additional low- and medium-priority notes covering authorization checks, input validation, and endpoint exposure
• Detailed hardening guidance for RFC pathways, portal admin access, and SAP host monitoring

👉 Read Pathlock’s analysis of SAP March 2026 security notes and exposure paths →

SAP March 2026 patch day: what IAM teams need to prioritise now?

Explore further

View Full Forum →  |  NHI Foundation Course →