SAP fixes critical flaws in NetWeaver and Commerce Cloud

Uncovering Critical Flaws in SAP NetWeaver and Commerce Cloud

SAP’s June 2026 Security Patch package is a big deal. It fixes 15 vulnerabilities, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud. The most severe vulnerability, CVE-2026-44748, is an XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, with a CVSS score of 9.9. This is bad news because it could allow an unauthenticated attacker to bypass authentication and perform malicious activities.

CVE-2026-27671 is another critical vulnerability, this time affecting SAP Commerce Cloud, with a CVSS score of 9.8. It’s a problem because an attacker could bypass authentication mechanisms and gain unauthorized access to sensitive data. Other identified vulnerabilities include CVE-2026-22732, with a CVSS score of 9.1, and CVE-2026-40128 and CVE-2026-29145, which also have CVSS scores indicating critical severity. These vulnerabilities show just how complex and challenging it is to secure enterprise software, especially when it comes to authentication mechanisms and data protection.

The vulnerabilities in question affect various components of SAP’s offerings, which makes securing these systems a broad and complex task. For example, SAP NetWeaver AS ABAP and ABAP Platform need to be updated to address CVE-2026-44748. SAP Commerce Cloud also needs to be patched to fix CVE-2026-27671. These are not minor issues, and organizations need to take them seriously.

Fallout and Affected Industries

The potential impact of these vulnerabilities is significant. They could allow attackers to bypass authentication, leading to unauthorized access to sensitive data and systems. This poses a risk to the confidentiality and integrity of business data. It also highlights the growing threat of identity-based attacks targeting enterprise applications. Businesses across various industries, especially those engaged in B2B and B2C commerce and relying on SAP’s ERP systems, online stores, and digital sales channels, may be impacted. The broad reach of these vulnerabilities means that organizations need to take swift and thorough action to secure affected systems.

Security experts note that the recent patches for critical flaws in SAP NetWeaver and Commerce Cloud show just how hard it is to secure complex enterprise software. The complexity of these systems, combined with the evolving nature of cyber threats, means that organizations need to be proactive and use a multi-layered approach to security. They must be vigilant and proactive in applying security patches and assessing their overall security posture. This is not a one-time task, but an ongoing process.

Protecting Yourself and Your Organization

To mitigate these vulnerabilities, organizations should apply SAP’s June 2026 Security Patch package as soon as possible. Updating SAP NetWeaver AS ABAP and ABAP Platform to address CVE-2026-44748 and patching CVE-2026-27671 in SAP Commerce Cloud are critical steps. Organizations should also review their authentication mechanisms to identify potential weaknesses and consider implementing additional security controls, such as multi-factor authentication, to prevent potential exploits. Regular security audits and penetration testing are essential to identify and address vulnerabilities before they can be exploited.

Organizations should ensure that all SAP systems are up to date with the latest security patches. They should also consider working with security professionals to assess and enhance the overall security posture of their SAP environments. This is a critical task, and it requires ongoing attention. The timeline of events leading to the discovery and patching of these vulnerabilities shows just how important it is to continuously monitor and patch critical systems.

In June 2026, SAP released fixes for these vulnerabilities as part of its Security Patch package. This followed the discovery of critical vulnerabilities, including CVE-2026-44748 and CVE-2026-27671. These vulnerabilities highlight the importance of continuous monitoring and patching of critical systems. Organizations that rely on SAP solutions must take these vulnerabilities seriously and take immediate action to secure their systems.

Sources

1. http://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.html
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44748
3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27671
4. https://nvd.nist.gov/vuln/detail/CVE-2026-44748
5. https://nvd.nist.gov/vuln/detail/CVE-2026-27671
6. https://support.sap.com/en/my-support/knowledge-base/security-notes.html/CVE-2026-44748
7. https://support.sap.com/en/my-support/knowledge-base/security-notes.html/CVE-2026-27671
8. https://nvd.nist.gov/vuln/detail/CVE-2026-22732
9. https://support.sap.com/en/my-support/knowledge-base/security-notes.html/CVE-2026-22732
10. https://nvd.nist.gov/vuln/detail/CVE-2026-40128
11. https://nvd.nist.gov/vuln/detail/CVE-2026-29145