Back

SAP Issues Urgent Patches for Critical Vulnerabilities in Core Products

Severity: High (Score: 75.8)

Sources: securityonline.info, nvd.nist.gov, Ccb.Belgium.Be, Heise.De

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: vulnerabilities, critical, security, affecting, products, patch, netweaver

Severity indicators: critical, critical security, vulnerabilities

Summary

SAP has released 15 security updates addressing critical vulnerabilities across its core products, including four that require immediate attention. CVE-2026-44748 is an XML signature vulnerability allowing authenticated attackers to forge signed XML documents, potentially leading to unauthorized access to sensitive data. CVE-2026-27671 involves improper RFC protocol validation in the SAP Kernel, enabling unauthenticated attackers to exploit memory corruption, risking application stability and data integrity. CVE-2026-40128 is a Directory Traversal vulnerability that allows unauthenticated attackers to manipulate file inclusion parameters, potentially exposing sensitive information. CVE-2026-22732 affects Spring Security, allowing unauthenticated remote attackers to compromise confidentiality and integrity. No active exploitation has been observed yet, but organizations are urged to apply patches immediately. Key Points: • SAP released 15 security updates addressing critical vulnerabilities on June 9, 2026. • Four vulnerabilities, including CVE-2026-44748 and CVE-2026-27671, are classified as critical. • Organizations using affected SAP products are advised to apply patches immediately.

Detailed Analysis

**Impact** Organizations using SAP NetWeaver Application Server ABAP, ABAP Platform, SAP NetWeaver Application Server Java, SAP Commerce Cloud, and SAP Data Hub are affected. The vulnerabilities enable unauthorized access to sensitive user data, system crashes, arbitrary code execution, and disruption of normal operations. The scope includes critical business applications across multiple sectors globally, though no specific geographic or sectoral data is provided. Historic compromises may persist despite patching. **Technical Details** Exploits involve XML signature forgery (CVE-2026-44748, CVSS 9.9), improper RFC protocol validation causing memory corruption (CVE-2026-27671, CVSS 9.8), directory traversal via malicious HTTP logon requests (CVE-2026-40128, CVSS 9.0), and Spring Security HTTP header manipulation (CVE-2026-22732, CVSS 9.1). Attack vectors include authenticated low-privilege users and unauthenticated remote attackers targeting SAP kernel and web container components. No malware or specific IOCs are reported. Kill chain stages affected include initial access, execution, and persistence. **Recommended Response** Apply the fifteen SAP security updates immediately, prioritizing patches for CVE-2026-44748, CVE-2026-27671, CVE-2026-40128, and CVE-2026-22732 after thorough testing. Enhance monitoring and detection capabilities to identify suspicious activity related to these vulnerabilities. Harden configurations around XML signature validation, RFC protocol handling, HTTP logon requests, and Spring Security headers. Report any intrusions promptly and note that patching does not remediate prior compromises.

Source articles (4)

  • SAP Patchday: Critical vulnerabilities in SAP NetWeaver and other weaknesses — Heise.De · 2026-06-09
    SAP has released 15 new security notes for the June patch day on Tuesday morning. They address partly critical security vulnerabilities in the software, with three of them affecting SAP NetWeaver. In…
  • CVE-2026-22732 — nvd.nist.gov · 2026-06-09
    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security S…
  • Warning: SAP Addresses Critical Vulnerabilities Affecting Multiple SAP products, Patch Immediately! — Ccb.Belgium.Be · 2026-06-09
    SAP has released fifteen security updates addressing a range of vulnerabilities across its core SAP products, including four critical vulnerabilities that require immediate attention from organization…
  • OSINT - Securityonline.info — securityonline.info · 2026-06-09

Timeline

  • 2026-03-19 — CVE-2026-22732 published: A vulnerability in Spring Security affecting SAP Commerce Cloud and SAP Data Hub was disclosed.
  • 2026-04-08 — First public PoC for CVE-2026-22732: The first proof of concept for the Spring Security vulnerability was made public.
  • 2026-06-09 — SAP releases critical security updates: SAP issued 15 security updates, including critical patches for vulnerabilities CVE-2026-44748, CVE-2026-27671, CVE-2026-40128, and CVE-2026-22732.
  • 2026-06-09 — CVE-2026-44748 published: An XML signature vulnerability allowing forged signed XML documents was disclosed.
  • 2026-06-09 — CVE-2026-27671 published: A critical vulnerability in the SAP Kernel due to improper RFC protocol validation was disclosed.
  • 2026-06-09 — CVE-2026-40128 published: A Directory Traversal vulnerability in SAP NetWeaver Application Server Java was disclosed.

CVEs

  • CVE-2026-22732
  • CVE-2026-27671
  • CVE-2026-40128
  • CVE-2026-44748

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Sql Injection (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-22 - Path Traversal (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • german.it (Domain)
  • ABAP (Platform)
  • ABAP Platform (Platform)
  • NetWeaver Application Server ABAP (Platform)
  • NetWeaver Application Server Java (Platform)
  • SAP Commerce Cloud (Platform)
  • SAP Data Hub (Platform)
  • SAP Kernel (Platform)
  • SAP NetWeaver (Platform)
  • Spring Security (Platform)
  • Path Traversal (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed