CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

SAP fixes critical flaws in NetWeaver and Commerce Cloud

Bleeping Computer Archived Jun 09, 2026 ✓ Full text saved

SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. [...]

Full text archived locally
✦ AI Summary · Claude Sonnet


    SAP fixes critical flaws in NetWeaver and Commerce Cloud By Bill Toulas June 9, 2026 03:36 PM 0 SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. NetWeaver is SAP's core application platform and middleware stack that provides the foundation for many SAP business applications, including ERP systems, handling functions such as application serving, integration, authentication, user management, and data processing. Commerce Cloud is an enterprise e-commerce platform (formerly Hybris). It enables organizations to build and manage online stores, digital sales channels, product catalogs, customer accounts, and order management systems for B2B and B2C commerce. In this month's security bulletin, SAP lists the following critical vulnerabilities as being addressed: CVE-2026-44748 (CVSS 9.9) – XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments. CVE-2026-27671 (CVSS 9.8) – Memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP. CVE-2026-22732 (CVSS 9.1) – Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub. CVE-2026-40128 (CVSS 9.0) – Directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container. “SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier,” reads the description for CVE-2026-44748. “This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage.” In the case of CVE-2026-27671, an attacker can exploit it without authentication by sending crafted RFC requests to vulnerable endpoints, leveraging improper kernel validation to cause memory corruption. Apart from the critical security issues above, SAP also addressed two high-severity vulnerabilities. CVE-2026-29145 comprises multiple Apache Tomcat flaws impacting Commerce Cloud, and CVE-2026-44751, which is a missing authorization check issue in NetWeaver AS ABAP. The German enterprise software company also addressed various SQL injection, path traversal, cross-site scripting (XSS), email spoofing, and authorization bypass issues across multiple SAP products. Details about the flaws and mitigation advice or workarounds are available only to SAP customers with a security portal account. Organizations using the impacted products should prioritize patching, particularly the SAML authentication flaw (CVE-2026-44748) and the memory corruption issue (CVE-2026-27671), which were rated very high in severity and could have a serious impact on enterprise environments. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Google fixes one actively exploited Android zero-day, 124 flaws Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks Hackers exploit FortiClient EMS flaw to push infostealer malware Hackers bypass SonicWall VPN MFA due to incomplete patching Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
    💬 Team Notes
    Article Info
    Source
    Bleeping Computer
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗