top of page

SAP urgently patches ultra-critical vulnerability on NetWeaver ABAP

In the world of enterprise administration, SAP is like the "central nervous system" running all critical data flows. Because of this, any security crack appearing in this system can keep businesses on the edge of their seats.

Recently, in the July 2026 routine security update, SAP officially released urgent patches to address a series of critical vulnerabilities. Most notable among them is a vulnerability that nearly reached the absolute severity score (9.9/10), along with seemingly minor loopholes that wide open the door to hackers.

SAP officially released urgent patches to address a series of critical vulnerabilities.
SAP officially released urgent patches to address a series of critical vulnerabilities.

The "imminent" threat from the 9.9-rated vulnerability on SAP NetWeaver ABAP

The most alarming vulnerability in this batch is CVE-2026-44747 , with a nearly maximum Common Vulnerability Scoring System (CVSS) severity score of 9.9/10. This flaw lies within the SAP NetWeaver Application Server ABAP component.

  • How does it work? This is an "out-of-bounds write" error. Simply put, once an attacker has logged into the system, they can exploit logical errors in the way the system manages memory to scramble and corrupt this memory space.

  • Consequences: From corrupting memory, malicious actors can easily read covertly or unauthorizedly modify sensitive data, or worse, completely paralyze the system, leaving enterprises unable to operate.

  • Solution: Security experts from Onapsis state that enterprises can temporarily mitigate this by disabling specific ICF (a connection component) nodes via the SICF transaction. However, this workaround will prevent users from opening transactions on the web interface (SAP GUI for HTML). Therefore, the most comprehensive and recommended solution at this time is to quickly install the patched ABAP Kernel version.

CVE-2026-44747 vulnerability with CVSS 9.9/10 on NVD.
CVE-2026-44747 vulnerability with CVSS 9.9/10 on NVD.

Information leakage risk from web desynchronization (HTTP Smuggling)

In addition to the aforementioned 9.9-rated vulnerability, SAP also had to address another critical vulnerability scoring 9.1, identified as CVE-2026-27690. This flaw directly affects SAP Approuter deployments in non-Cloud Foundry environments.

  • Nature of the flaw: This is an "HTTP request/response smuggling" flaw. You can imagine when users send access requests to the web server, the system processes them sequentially. However, this vulnerability allows unauthenticated attackers to send specially crafted requests that disrupt the timing, desynchronizing the server's processing.

  • Consequences: This desynchronization causes response information originally intended for one user to be redirected to another (causing exposure of personal information), or triggers Denial of Service (DoS) attacks that crash the system due to overload.

Costly lesson from "copy-pasting" documentation directly into production

The final vulnerability with a score of 9.1 (CVE-2026-44761) resides in SAP Commerce Cloud. Notably, this flaw does not stem from complex source code, but rather from a very common habit: using pre-configured templates.

  • What is the cause? According to the NIST National Vulnerability Database (NVD), this flaw originates from sample configuration scripts provided on SAP's documentation pages in the past. These legacy documents failed to clearly warn users that: "Do not bring these sample configurations into production systems (production)."

  • Fatal loophole: As a consequence, many enterprises copy-pasted the sample configuration—which contained default, publicly known credentials (username/password)—directly into their running systems. Attackers only need to use these widely known default credentials to exchange for valid access tokens, thereby freely calling Application Programming Interfaces (APIs) to read and modify data.

  • How to remediate? Fortunately, if your enterprise has proactively removed this sample configuration or replaced the default password with a strong, unique security key beforehand, the system is entirely safe. If not, immediately review your production environment and delete this sample OAuth 2.0 account right away.

Advice for businesses

Although at present, experts have not detected any evidence of these vulnerabilities being exploited in the wild, "prevention is better than cure" is never redundant. Enterprises running SAP systems should promptly inspect, review, and apply the latest security updates of July 2026 to safeguard their digital assets.

Reference: The Hacker News

Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page