Back

Critical SAP Vulnerabilities Require Immediate Patching

Severity: High (Score: 72.0)

Sources: Ccb.Belgium.Be, Heise.De, securityonline.info, nvd.nist.gov, Bleepingcomputer

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: vulnerabilities, critical, security, affecting, products, patch, netweaver

Severity indicators: critical, critical security, vulnerabilities

Summary

SAP has released security updates addressing 15 vulnerabilities, including four critical ones affecting SAP NetWeaver and SAP Commerce Cloud. The vulnerabilities include CVE-2026-44748, allowing authenticated attackers to forge signed XML documents, and CVE-2026-27671, which enables unauthenticated attackers to exploit improper RFC protocol validation, potentially leading to memory corruption. Other critical vulnerabilities include CVE-2026-40128, a Directory Traversal flaw, and CVE-2026-22732, affecting Spring Security. Organizations using these products are urged to patch immediately, as exploitation could lead to unauthorized access and system disruptions. No active exploitation has been reported yet. The vulnerabilities were disclosed on June 9, 2026, and are part of SAP's June security patch package. Key Points: • SAP released patches for 15 vulnerabilities, including four critical ones. • CVE-2026-44748 and CVE-2026-27671 pose significant risks of unauthorized access and system disruption. • Organizations must prioritize patching to mitigate potential exploitation.

Detailed Analysis

**Impact** Organizations using SAP NetWeaver, SAP Commerce Cloud, and SAP Data Hub are affected globally, particularly enterprises relying on SAP for ERP, e-commerce, and data processing. The vulnerabilities risk unauthorized access to sensitive user data, disruption of system operations, and potential arbitrary code execution. The critical flaws carry CVSS scores up to 9.9, indicating severe impact on confidentiality, integrity, and availability of business-critical applications. **Technical Details** Exploits include an XML signature forgery (CVE-2026-44748), improper RFC protocol validation causing memory corruption (CVE-2026-27671), directory traversal via crafted HTTP logon requests (CVE-2026-40128), and Spring Security HTTP header omission (CVE-2026-22732). Attack vectors range from authenticated low-privilege users to unauthenticated remote attackers. No active exploitation in the wild has been reported. The vulnerabilities affect SAP NetWeaver Application Server ABAP/Java, SAP Commerce Cloud, and Spring Security servlet layers. **Recommended Response** Apply SAP’s June 2026 security patches immediately, prioritizing updates for CVE-2026-44748, CVE-2026-27671, CVE-2026-40128, and CVE-2026-22732 after thorough testing. Enhance monitoring and detection capabilities for suspicious RFC requests, malformed HTTP logons, and anomalous XML signature activity. Report any incidents promptly to relevant authorities. Historical compromises are not remediated by patching alone; forensic analysis is advised if intrusion is suspected.

Source articles (7)

  • SAP Patchday: Critical vulnerabilities in SAP NetWeaver and other weaknesses — Heise.De · 2026-06-09
    SAP has released 15 new security notes for the June patch day on Tuesday morning. They address partly critical security vulnerabilities in the software, with three of them affecting SAP NetWeaver. In…
  • CVE-2026-22732 — nvd.nist.gov · 2026-06-09
    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security S…
  • Warning: SAP Addresses Critical Vulnerabilities Affecting Multiple SAP products, Patch Immediately! — Ccb.Belgium.Be · 2026-06-09
    SAP has released fifteen security updates addressing a range of vulnerabilities across its core SAP products, including four critical vulnerabilities that require immediate attention from organization…
  • SAP fixes critical flaws in NetWeaver and Commerce Cloud — Bleepingcomputer · 2026-06-09
    SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. NetWeaver is SAP's…
  • OSINT - Securityonline.info — securityonline.info · 2026-06-09
  • CVE-2026-44748 — www.cve.org · 2026-06-09
  • CVE-2026-27671 — www.cve.org · 2026-06-09

Timeline

  • 2026-04-09 — CVE-2026-29145 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — SAP releases June 2026 Security Patch package: SAP addresses 15 vulnerabilities, including four critical flaws in NetWeaver and Commerce Cloud, urging immediate action from organizations.
  • 2026-06-09 — CVE-2026-44748 published: This vulnerability allows authenticated attackers to forge signed XML documents, potentially leading to unauthorized access.
  • 2026-06-09 — CVE-2026-27671 published: An unauthenticated attacker can exploit this vulnerability to cause memory corruption in SAP Kernel, impacting system stability.
  • 2026-06-09 — CVE-2026-40128 published: This Directory Traversal vulnerability allows unauthenticated attackers to manipulate file inclusion parameters, risking sensitive data exposure.
  • 2026-06-09 — CVE-2026-22732 published: A vulnerability in Spring Security that may leave web clients vulnerable to connection hijacking due to improper HTTP header handling.
  • 2026-06-09 — CVE-2026-44751 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-22732
  • CVE-2026-27671
  • CVE-2026-29145
  • CVE-2026-40128
  • CVE-2026-44748
  • CVE-2026-44751

Related entities

  • Cross-Site Scripting (xss) (Mitre Attack)
  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Sql Injection (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-22 - Path Traversal (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • german.it (Domain)
  • ABAP (Platform)
  • ABAP Platform (Platform)
  • Apache Tomcat (Platform)
  • NetWeaver Application Server ABAP (Platform)
  • NetWeaver Application Server Java (Platform)
  • SAP Commerce Cloud (Platform)
  • SAP Data Hub (Platform)
  • SAP Kernel (Platform)
  • SAP NetWeaver (Platform)
  • Spring Security (Platform)
  • Path Traversal (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed