Technology companies including SAP, Adobe, Microsoft, and Fortinet released critical security updates on Tuesday, April 9, as part of the coordinated monthly patching cycle. The updates address multiple severe vulnerabilities that, if exploited, could allow attackers to take control of affected systems, access sensitive data, or disrupt business operations. Administrators and users are urged to apply these patches promptly to mitigate significant security risks.

Critical SAP Vulnerabilities Lead the Updates

Among the most severe flaws patched this month is an SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse, tracked as CVE-2026-27681. This vulnerability carries a CVSS severity score of 9.9 out of 10. Successful exploitation could enable an unauthenticated attacker to execute arbitrary commands on the underlying database, potentially leading to a full compromise of the system and its data.

SAP’s security notes also resolved other high-priority issues across its product portfolio. The company emphasized the critical nature of these updates for maintaining system integrity, particularly for enterprises using its business software for financial planning and data warehousing.

Microsoft Patches Actively Exploited Zero-Day

Microsoft’s April security release, known as patch tuesday, included fixes for approximately 150 vulnerabilities. One notable flaw, identified as CVE-2024-29988, is a security feature bypass in the SmartScreen prompt that has already been exploited in limited attacks. Microsoft stated that attackers could use this flaw to deliver malware by bypassing critical user warnings.

Other significant Microsoft patches addressed remote code execution vulnerabilities in Windows DNS Server, Microsoft Defender for IoT, and the Windows Kerberos authentication protocol. The company classified several of these fixes as “critical,” indicating they could be exploited without user interaction.

Adobe and Fortinet Resolve High-Severity Issues

Adobe released security updates for multiple products, including Adobe Commerce, Magento Open Source, and Experience Manager. The company addressed critical vulnerabilities that could lead to arbitrary code execution and security feature bypasses. Adobe has not reported any active exploits in the wild for these specific issues at the time of the bulletin.

Fortinet issued advisories for critical vulnerabilities in its FortiOS and FortiProxy secure web gateway. One flaw, an out-of-bounds write vulnerability in FortiOS, received a CVSS score of 9.6. The company warned that this could allow an unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Industry-Wide Patching Effort

The coordinated Patch Tuesday effort highlights the ongoing challenge of software security in complex enterprise and consumer environments. Security researchers consistently discover vulnerabilities in widely used software, necessitating regular and timely updates from vendors. The inclusion of flaws from multiple major vendors in a single cycle underscores the scale of the patching task for IT departments globally.

Organizations are advised to prioritize patching based on the severity of the vulnerability, the exposure of the affected system to the internet, and evidence of active exploitation. External-facing systems and those handling sensitive data typically require immediate attention.

Next Steps for Organizations and Users

Security teams are expected to begin testing and deploying these patches across their networks immediately. Given the critical ratings and the presence of an already-exploited zero-day, the urgency for deployment is high. Vendors typically recommend applying updates as soon as testing confirms compatibility with existing systems.

Further technical details and exploitation trends related to these vulnerabilities are likely to be published by cybersecurity firms and researchers in the coming days. Organizations should monitor these sources for additional context and guidance on detection and mitigation if immediate patching is not feasible.

Source: GeekWire