SAP Patchday: Critical vulnerabilities in SAP NetWeaver and other weaknesses
For the June patch day, SAP is addressing 15 new vulnerabilities in several products. Three critical ones affect NetWeaver.
(Image: SAP, Collage heise online / dmk)
SAP has released 15 new security notes for the June patch day on Tuesday morning. They address partly critical security vulnerabilities in the software, with three of them affecting SAP NetWeaver.
In the overview of the SAP patch day, a vulnerability in NetWeaver Application Server ABAP and ABAP Platform stands out, which allows authenticated attackers with normal privileges to obtain signed messages and send modified signed XML documents to the “Verifier.” This can lead to the acceptance of forged identity information, allowing attackers to gain unauthorized access to sensitive user data and disrupt normal system usage (CVE-2026-44748, CVSS 9.9, Risk “critical”).
Attackers can also exploit an insufficient RFC protocol check in the SAP kernel of NetWeaver Application Server ABAP and ABAP Platform to trigger logic errors in memory management with manipulated packets without prior authentication. SAP speaks of an impact on the confidentiality, integrity, and availability of the application. Due to the severity, it appears to be not just a DoS vulnerability but also to allow the injection of malicious code (CVE-2026-27671, CVSS 9.8, Risk “critical”).
In SAP NetWeaver Application Server Java (Web Container), malicious actors can prepare an HTTP login request that manipulates file inclusion parameters, thereby utilizing a so-called Path Traversal and triggering the processing of the included file. This may allow attackers to view or modify sensitive information and disable the system (CVE-2026-40128, CVSS 9.0, Risk “critical”). A vulnerability in Spring Security, which can exploit certain HTTP headers, also affects SAP Commerce Cloud and SAP Data Hub (CVE-2026-22732, CVSS 9.1, Risk “critical”).
Videos by heise
Further less severe security vulnerabilities
In addition, SAP has updates for other security flaws in store. SAP links the security notes and associated updates in the patch day overview. Admins should check if they are using vulnerable SAP software and apply the available updates promptly.
- Apache Tomcat in SAP Commerce Cloud,
- Application Server ABAP from SAP NetWeaver and ABAP Platform,
- ODP Data Replication APIs,
- SAP S/4HANA,
- SAP NetWeaver AS Java (JDBC Test Servlet),
- SAP Wily Introscope Enterprise Manager,
- SAP MDG (Review Match Groups Application),
- SAP Business Objects Business Intelligence Platform,
- SAP Fiori (launchpad),
- SAP Business Objects and
- SAP NetWeaver AS Java
In May, SAP also addressed 15 security vulnerabilities on patch day. Two of them were considered critical and allowed unauthorized individuals to log in or perform SQL injection attacks, for example.
(dmk)
