preloader

· security sap netweaver vulnerability cve enterprise patch europe

SAP’s June 2026 Patch Day Fixes Four Critical Flaws Including a 9.9-Severity SAML Bypass in NetWeaver

Source: BleepingComputer

SAP released its June 2026 Security Patch Day on 10 June, addressing 15 vulnerabilities across its product portfolio. Four of those vulnerabilities carry a CVSS score of 9.0 or higher, placing them in the critical tier, and two of them are severe enough to warrant immediate attention from any organisation running SAP’s on-premises enterprise stack.

SAP software runs a large share of European enterprise infrastructure. The ERP and supply chain systems of major manufacturers, logistics operators, public institutions, and financial organisations across Germany, France, the Netherlands, and the broader EU run on NetWeaver and its associated stack. Critical vulnerabilities in this platform are therefore not abstract concerns for a narrow technical audience. They affect core business systems that process payroll, inventory, procurement, and financial reporting for some of the continent’s largest organisations.

The two most critical flaws

CVE-2026-44748 carries a CVSS score of 9.9 and affects SAP NetWeaver AS ABAP and the ABAP Platform. The vulnerability is a XML Signature Wrapping flaw in the SAML authentication implementation. An authenticated attacker with standard user privileges can obtain a valid SAML assertion, modify its XML structure, and pass the tampered document to the SAML verifier. Because the verifier fails to validate the cryptographic signature against the full document content, it accepts the manipulated identity claims. The result is that the attacker can authenticate as any user in the system, including privileged or administrative accounts, without knowing their credentials. This is a complete authentication bypass for any component relying on SAML within the affected versions, and the exploit path does not require elevated starting privileges.

CVE-2026-27671 carries a CVSS score of 9.8 and affects the ABAP Platform Application Server at the kernel level. The vulnerability is a memory corruption flaw in the handling of Remote Function Call (RFC) protocol requests. An unauthenticated attacker can send a specially crafted RFC request that triggers a stack-based buffer overflow, which can result in application crashes, unauthorised data access, or arbitrary code execution. The unauthenticated nature of this exploit path is significant: it requires no valid account on the target system and can be attempted from any network position that can reach the RFC port.

The other two critical vulnerabilities

CVE-2026-22732 (CVSS 9.1) is a Spring Security vulnerability affecting SAP Commerce Cloud and SAP Data Hub. Commerce Cloud is widely deployed in retail and manufacturing organisations running B2B or B2C e-commerce on SAP infrastructure.

CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability in the Java Web Container component of SAP NetWeaver Application Server Java, which allows an attacker to read files outside the intended directory scope.

Why patching SAP on schedule is harder than it looks

SAP environments are rarely patched at the same cadence as Windows endpoints or cloud workloads. The integration complexity, the customisation layers, and the business-criticality of core ERP systems mean that many organisations run months or years behind on SAP security notes. Change control processes require extensive regression testing. Downtime windows are difficult to schedule around production cycles. The result is that SAP systems frequently carry a backlog of unpatched vulnerabilities, and critical patches sit waiting in a queue behind operational concerns.

CVE-2026-44748 and CVE-2026-27671 are the kind of vulnerabilities that justify an emergency change request to compress that timeline. A 9.9 authentication bypass in a system that holds payroll data, financial records, and procurement histories is not a risk to defer to the next scheduled maintenance window. RFC exposure to untrusted networks for a system carrying a CVSS 9.8 unauthenticated RCE is not a risk to defer at all.

For organisations that cannot patch immediately, compensating controls matter. RFC access to NetWeaver ABAP kernels should be restricted to trusted network segments. SAML configurations should be reviewed for unnecessary trust relationships. NetWeaver Java’s web interface should not be exposed to untrusted networks without compensating access controls.

If your organisation runs SAP NetWeaver and needs help assessing patch exposure, identifying exploit paths in your network topology, or implementing compensating controls while you schedule the patch work, contact Excello Digital. We help European enterprises manage vulnerability risk in complex on-premises environments.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!