Critical SAP NetWeaver Vulnerabilities Patched on Patch Day
Four critical-severity flaws are among the 15 new security notes SAP released on its June 2026 Security Patch Day. Delivered Tuesday, June 9, these updates address a broad range of vulnerabilities...
Four critical-severity flaws are among the 15 new security notes SAP released on its June 2026 Security Patch Day. Delivered Tuesday, June 9, these updates address a broad range of vulnerabilities impacting core SAP products and demand immediate enterprise attention.
Table Of Content
SAP strongly urges all customers to visit the SAP Support Portal and apply the patches on priority to protect their SAP landscape.
Critical Vulnerabilities Patched
The most severe flaw patched this cycle is CVE-2026-44748 (CVSS 9.9), an XML Signature Wrapping vulnerability in SAML Authentication affecting SAP NetWeaver AS ABAP and ABAP Platform.
This flaw allows an authenticated attacker with low privileges to obtain a valid signed message and transmit modified XML documents to the verifier, potentially enabling acceptance of tampered identity information, unauthorized access to sensitive user data, and privilege escalation across enterprise systems. The vulnerability spans an extensive range of SAP_BASIS versions from 702 through 919, making the patch footprint exceptionally wide.
A second critical issue, CVE-2026-27671 (CVSS 9.8), targets the Application Server ABAP kernel and introduces a memory corruption risk via improper RFC protocol validation.
Unlike the SAML flaw, this vulnerability is unauthenticated; an attacker can send a specially crafted RFC request that exploits logical errors in memory management without any valid credentials, leading to high-impact compromise of confidentiality, integrity, and availability. Affected components include multiple KRNL64NUC, KRNL64UC, and KERNEL versions.
CVE-2026-22732 (CVSS 9.1) patches a Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub, enabling unauthenticated remote attackers to impact confidentiality and integrity without user interaction.
Completing the critical quartet is CVE-2026-40128 (CVSS 9.0), a Directory Traversal flaw in the SAP NetWeaver Application Server Java Web Container (ENGINEAPI 7.50), where a network-accessible attacker can traverse directory structures to reach sensitive resources under high confidentiality, integrity, and availability impact.
High-Severity Patches
SAP also addressed two high-priority notes this cycle. CVE-2026-29145 (CVSS 7.4) bundles multiple Apache Tomcat vulnerabilities — including CVE-2025-66614 and CVE-2026-24734 within SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211), allowing unauthenticated attackers to exploit weaknesses in the embedded Tomcat server.
CVE-2026-44751 (CVSS 7.1) fixes a Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform affecting SAP_BASIS versions 700 through 816, where a low-privileged network attacker could achieve high integrity impact and partial availability disruption.
Medium and Low Severity Notes
| Note # | CVE | Product | Vulnerability Type | CVSS |
|---|---|---|---|---|
| 3748819 | CVE-2026-44754 | ODP Data Replication APIs | Missing Caller Identification | 6.6 |
| 3751691 | CVE-2026-44744 | SAP S/4HANA | SQL Injection | 6.5 |
| 3723655 | CVE-2026-44746 | SAP NetWeaver AS Java (JDBC Test Servlet) | Reflected XSS | 6.1 |
| 3715280 | CVE-2026-44757 | SAP Wily Introscope Enterprise Manager | Cross-Site Scripting | 4.7 |
| 3673181 | CVE-2026-44750 | SAP MDG (Review Match Groups) | Missing Authorization | 4.3 |
| 3687096 | CVE-2026-44755 | SAP BusinessObjects BI Platform | Email Spoofing | 4.3 |
| 3682699 | CVE-2026-24315 | SAP Fiori (Launchpad) | Path Traversal | 4.2 |
| 3706000 | CVE-2026-44743 | SAP Business Objects | Security Misconfiguration | 3.7 |
| 3726899 | CVE-2025-68161 | SAP NetWeaver AS Java | Apache Log4j Exposure | 3.3 |
The SQL Injection flaw in SAP S/4HANA (CVE-2026-44744, CVSS 6.5) poses a notable data exposure risk, allowing authenticated low-privileged attackers to query sensitive database content via crafted inputs across S4FND versions 102 through 109.
The Reflected XSS in SAP NetWeaver’s JDBC Test Servlet (CVE-2026-44746) and the Log4j-related advisory in SAP NetWeaver AS Java (CVE-2025-68161) round out the lower-tier patches, though the latter serves as a reminder that third-party library dependencies within SAP products continue to introduce residual risk.
Security teams managing SAP environments should prioritize remediation in the following order:
- CVE-2026-44748 – Apply the SAML XML Signature fix immediately across all SAP_BASIS versions; as a temporary workaround, SAML authentication can be disabled, though this does not cover all signed XML use cases.
- CVE-2026-27671 – Patch all affected SAP Kernel versions (7.22–9.19) to eliminate the unauthenticated RFC memory corruption vector.
- CVE-2026-22732 & CVE-2026-40128 – Update SAP Commerce Cloud, SAP Data Hub, and NetWeaver Java (ENGINEAPI 7.50) to remediate the Spring Security and Directory Traversal flaws
- CVE-2026-29145 – Apply the Apache Tomcat bundle patch for SAP Commerce Cloud to address multiple embedded server vulnerabilities
- Remaining medium/low notes – Schedule within the standard monthly patch management cycle, particularly prioritizing the S/4HANA SQL injection and NetWeaver AS Java XSS fixes
SAP Security Patch Day is scheduled for the second Tuesday of every month. Organizations are strongly advised to implement a structured SAP patch management process and monitor the SAP Security Notes portal for any out-of-band updates following this cycle.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.