SAP Patches Four Critical NetWeaver Flaws — CVSS 9.9 SAML Bypass

SAP released its June 2026 Security Patch Day yesterday, addressing 15 vulnerabilities across its enterprise software portfolio. Four carry critical severity ratings, with the most severe—CVE-2026-44748—scoring an alarming CVSS 9.9 and enabling complete authentication bypass in SAML-federated environments.

Organizations running SAP NetWeaver in production environments should prioritize these patches immediately. The vulnerabilities affect core authentication and application server components that underpin critical business operations.

CVE-2026-44748: SAML Signature Wrapping (CVSS 9.9)

The headline vulnerability is an XML Signature Wrapping flaw in SAP NetWeaver AS ABAP and ABAP Platform. An authenticated attacker with normal privileges can obtain a valid signed SAML message and manipulate the XML structure to forge identity assertions. The verifier accepts the tampered document because the signature remains technically valid—it just no longer applies to the data the application trusts.

According to SAP's security note, successful exploitation enables "unauthorized access to sensitive user data and potential disruption of normal system usage." In practical terms, an attacker could impersonate any user in the federated identity system, including administrative accounts.

This attack class has plagued enterprise SSO implementations for over a decade. XML signature wrapping exploits the gap between which XML elements are cryptographically signed versus which elements the application actually processes. Despite industry awareness, new variants continue emerging in major platforms.

CVE-2026-27671: Memory Corruption RCE (CVSS 9.8)

The second critical vulnerability affects the SAP NetWeaver/ABAP Platform Application Server. CVE-2026-27671 is a memory corruption flaw exploitable without authentication by sending crafted RFC (Remote Function Call) requests to vulnerable endpoints.

The vulnerability stems from improper kernel validation of RFC message structures. An attacker sending malformed requests can corrupt memory in ways that enable arbitrary code execution on the application server. This provides a direct path to system compromise without requiring any credentials.

RFC interfaces are fundamental to SAP system integration. Many organizations expose these endpoints across internal networks or through SAP Router configurations, expanding the potential attack surface significantly.

Additional Critical Flaws

Two more vulnerabilities round out the critical severity tier:

CVE-2026-22732 (CVSS 9.1) - A Spring Security-related vulnerability affecting both SAP Commerce Cloud and SAP Data Hub. Details remain limited, but Spring Security flaws in authentication contexts typically enable privilege escalation or access control bypass.

CVE-2026-40128 (CVSS 9.0) - A directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container. Attackers can potentially access files outside intended directories, which may expose configuration data, credentials, or enable further exploitation.

Who's Affected

SAP NetWeaver forms the backbone of SAP's enterprise application stack. Affected deployments include:

• SAP S/4HANA systems built on NetWeaver
• SAP ECC (ERP Central Component) installations
• SAP BW/4HANA and legacy BW systems
• SAP Solution Manager environments
• SAP Commerce Cloud deployments
• SAP Data Hub instances

The breadth of affected products means most organizations running SAP infrastructure have at least one vulnerable system. Given SAP's role in financial reporting, supply chain management, and HR operations, these aren't systems that can tolerate extended patching delays.

Exploitation Likelihood

SAP vulnerabilities historically attract significant attacker interest. Nation-state groups have targeted SAP systems as pathways into high-value enterprise networks, and ransomware operators recognize the business-critical nature of ERP platforms.

The SAML bypass (CVE-2026-44748) is particularly concerning because:

1. SAML is widely deployed for enterprise SSO
2. The attack requires only low-privilege initial access
3. Successful exploitation grants impersonation of arbitrary users
4. Detection is difficult since forged assertions use valid signatures

Organizations using SAML federation with SAP systems should treat this patch as emergency-critical.

Recommended Actions

1. Apply patches immediately - Download and deploy SAP Security Notes from the Support Portal
2. Review SAML configurations - Audit which systems rely on SAML authentication to SAP
3. Monitor RFC traffic - Implement logging for unusual RFC connection patterns
4. Restrict RFC endpoints - Limit network access to RFC interfaces using SAP Router rules or firewalls
5. Validate patch deployment - Confirm vulnerable components are updated across all system landscapes (DEV/QA/PROD)

SAP provides detailed remediation guidance in their Security Patch Day documentation. Organizations with SAP Solution Manager can leverage the System Recommendations feature to identify missing security notes.

Why This Matters

SAP systems process trillions of dollars in global commerce annually. A compromise of SAP infrastructure can expose financial data, disrupt supply chains, and enable large-scale fraud. The authentication bypass vulnerability is especially dangerous because it undermines the identity foundation that all access controls depend upon.

For security teams managing SAP environments, this June patch cycle demands immediate attention. The combination of critical severity ratings, authentication bypass capabilities, and unauthenticated attack vectors creates compounding risk that attackers will move quickly to exploit.