SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
SAP’s June 2026 Security Patch Day, observed on Tuesday, June 9, delivered 15 new security notes addressing a broad range of vulnerabilities across core SAP products, including four critical-severity flaws that demand immediate enterprise attention. SAP strongly urges all customers to visit the SAP Support Portal and apply the patches on priority to protect their […] The post SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
SAP Security Patch Day – Critical Vulnerabilities in SAP NetWeaver Patched
By Guru Baran
June 9, 2026
SAP’s June 2026 Security Patch Day, observed on Tuesday, June 9, delivered 15 new security notes addressing a broad range of vulnerabilities across core SAP products, including four critical-severity flaws that demand immediate enterprise attention.
SAP strongly urges all customers to visit the SAP Support Portal and apply the patches on priority to protect their SAP landscape.
Critical Vulnerabilities Patched
The most severe flaw patched this cycle is CVE-2026-44748 (CVSS 9.9), an XML Signature Wrapping vulnerability in SAML Authentication affecting SAP NetWeaver AS ABAP and ABAP Platform.
This flaw allows an authenticated attacker with low privileges to obtain a valid signed message and transmit modified XML documents to the verifier, potentially enabling acceptance of tampered identity information, unauthorized access to sensitive user data, and privilege escalation across enterprise systems. The vulnerability spans an extensive range of SAP_BASIS versions from 702 through 919, making the patch footprint exceptionally wide.
A second critical issue, CVE-2026-27671 (CVSS 9.8), targets the Application Server ABAP kernel and introduces a memory corruption risk via improper RFC protocol validation.
Unlike the SAML flaw, this vulnerability is unauthenticated; an attacker can send a specially crafted RFC request that exploits logical errors in memory management without any valid credentials, leading to high-impact compromise of confidentiality, integrity, and availability. Affected components include multiple KRNL64NUC, KRNL64UC, and KERNEL versions.
CVE-2026-22732 (CVSS 9.1) patches a Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub, enabling unauthenticated remote attackers to impact confidentiality and integrity without user interaction.
Completing the critical quartet is CVE-2026-40128 (CVSS 9.0), a Directory Traversal flaw in the SAP NetWeaver Application Server Java Web Container (ENGINEAPI 7.50), where a network-accessible attacker can traverse directory structures to reach sensitive resources under high confidentiality, integrity, and availability impact.
High-Severity Patches
SAP also addressed two high-priority notes this cycle. CVE-2026-29145 (CVSS 7.4) bundles multiple Apache Tomcat vulnerabilities — including CVE-2025-66614 and CVE-2026-24734 within SAP Commerce Cloud (HY_COM 2205, COM_CLOUD 2211), allowing unauthenticated attackers to exploit weaknesses in the embedded Tomcat server.
CVE-2026-44751 (CVSS 7.1) fixes a Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform affecting SAP_BASIS versions 700 through 816, where a low-privileged network attacker could achieve high integrity impact and partial availability disruption.
Medium and Low Severity Notes
Note # CVE Product Vulnerability Type CVSS
3748819 CVE-2026-44754 ODP Data Replication APIs Missing Caller Identification 6.6
3751691 CVE-2026-44744 SAP S/4HANA SQL Injection 6.5
3723655 CVE-2026-44746 SAP NetWeaver AS Java (JDBC Test Servlet) Reflected XSS 6.1
3715280 CVE-2026-44757 SAP Wily Introscope Enterprise Manager Cross-Site Scripting 4.7
3673181 CVE-2026-44750 SAP MDG (Review Match Groups) Missing Authorization 4.3
3687096 CVE-2026-44755 SAP BusinessObjects BI Platform Email Spoofing 4.3
3682699 CVE-2026-24315 SAP Fiori (Launchpad) Path Traversal 4.2
3706000 CVE-2026-44743 SAP Business Objects Security Misconfiguration 3.7
3726899 CVE-2025-68161 SAP NetWeaver AS Java Apache Log4j Exposure 3.3
The SQL Injection flaw in SAP S/4HANA (CVE-2026-44744, CVSS 6.5) poses a notable data exposure risk, allowing authenticated low-privileged attackers to query sensitive database content via crafted inputs across S4FND versions 102 through 109.
The Reflected XSS in SAP NetWeaver’s JDBC Test Servlet (CVE-2026-44746) and the Log4j-related advisory in SAP NetWeaver AS Java (CVE-2025-68161) round out the lower-tier patches, though the latter serves as a reminder that third-party library dependencies within SAP products continue to introduce residual risk.
Security teams managing SAP environments should prioritize remediation in the following order:
CVE-2026-44748 – Apply the SAML XML Signature fix immediately across all SAP_BASIS versions; as a temporary workaround, SAML authentication can be disabled, though this does not cover all signed XML use cases.
CVE-2026-27671 – Patch all affected SAP Kernel versions (7.22–9.19) to eliminate the unauthenticated RFC memory corruption vector.
CVE-2026-22732 & CVE-2026-40128 – Update SAP Commerce Cloud, SAP Data Hub, and NetWeaver Java (ENGINEAPI 7.50) to remediate the Spring Security and Directory Traversal flaws
CVE-2026-29145 – Apply the Apache Tomcat bundle patch for SAP Commerce Cloud to address multiple embedded server vulnerabilities
Remaining medium/low notes – Schedule within the standard monthly patch management cycle, particularly prioritizing the S/4HANA SQL injection and NetWeaver AS Java XSS fixes
SAP Security Patch Day is scheduled for the second Tuesday of every month. Organizations are strongly advised to implement a structured SAP patch management process and monitor the SAP Security Notes portal for any out-of-band updates following this cycle.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks
OWASP CVE Lite CLI – New Tool to Scan for Vulnerabilities in Your Projects
Threat Actors Abuse ChatGPT, Claude, and DeepSeek Brands as Phishing Lures to Steal Credentials
Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises
Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers
Latest News
Cyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cyber Security News
New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps
Cyber Security
Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers
Cyber Security
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands