SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud
SAP released 19 new and updated security notes during its July 2026 patch day, addressing vulnerabilities across its enterprise software suite. The highest severity issue is CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP allowing data access and system unavailability. Critical HTTP request smuggling (CVE-2026-27690, CVSS 9.1) was fixed in Approuter, affecting non-Cloud Foundry environments via unauthenticated crafted requests. A hardcoded credential flaw
Analysis
TL;DR
- SAP released 19 new and updated security notes during its July 2026 patch day, addressing vulnerabilities across its enterprise software suite.
- The highest severity issue is CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP allowing data access and system unavailability.
- Critical HTTP request smuggling (CVE-2026-27690, CVSS 9.1) was fixed in Approuter, affecting non-Cloud Foundry environments via unauthenticated crafted requests.
- A hardcoded credential flaw in Commerce Cloud (CVE-2026-44761, CVSS 9.1) allows unauthorized API access if customers retained sample OAuth2 configurations in production.
- Additional patches cover high-severity defects in Integration Suite, SAProuter, and NetWeaver Java, including updates for Apache Camel and Tomcat components.
Why It Matters
This update highlights the persistent risks associated with legacy enterprise architectures, particularly memory corruption in core application servers like NetWeaver. It underscores the critical importance of auditing third-party dependencies and sample configurations, as seen in the Commerce Cloud credential issue, to prevent unauthorized access in production environments. For security practitioners, this reinforces the need for immediate patch management and rigorous review of deployment scripts to eliminate hardcoded secrets.
Technical Details
- CVE-2026-44747 (CVSS 9.9): A memory corruption vulnerability in NetWeaver Application Server ABAP. Exploitation allows attackers to access/modify data and cause denial of service. Temporary mitigation involves disabling specific ICF nodes via transaction SICF.
- CVE-2026-27690 (CVSS 9.1): An HTTP request smuggling vulnerability in SAP Approuter (non-Cloud Foundry). Allows unauthenticated attackers to send crafted requests leading to request-response desynchronization.
- CVE-2026-44761 (CVSS 9.1): Hardcoded credentials in Commerce Cloud OAuth2 clients derived from sample scripts in SAP Help Portal. Enables unauthorized token acquisition and API invocation if default secrets are not replaced in production.
- Component Updates: Patches address multiple Apache Camel and Apache Tomcat security bugs within Integration Suite and Commerce Cloud notes.
- Scope: Fixes span NetWeaver, S/4HANA, Fiori, CRM, HANA Extended Application Services Classic Model, and SAProuter, ranging from critical to low severity.
Industry Insight
Organizations must prioritize the remediation of memory corruption vulnerabilities in core ERP components, as these often provide the highest privilege escalation paths. Enterprises should conduct immediate audits of all production environments for hardcoded credentials in sample configurations, particularly for cloud-connected modules like Commerce Cloud. Proactive dependency management is essential, as vulnerabilities in underlying libraries like Apache Camel and Tomcat can directly impact the security posture of integrated enterprise suites.
Disclaimer: The above content is generated by AI and is for reference only.