Critical Vulnerabilities in SAP NetWeaver and Commerce Cloud - June 2026
Executive Summary
In June 2026, SAP released patches for 15 vulnerabilities, including four critical flaws affecting SAP NetWeaver and SAP Commerce Cloud. The most severe, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments. Another critical issue, CVE-2026-27671 (CVSS 9.8), is a memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP, exploitable without authentication via crafted RFC requests. Additionally, CVE-2026-22732 (CVSS 9.1) impacts SAP Commerce Cloud and SAP Data Hub due to a Spring Security-related vulnerability, and CVE-2026-40128 (CVSS 9.0) is a directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container. (bleepingcomputer.com)
These vulnerabilities underscore the critical need for organizations to promptly apply security patches to prevent potential exploitation. The rise in sophisticated attacks targeting enterprise platforms highlights the importance of maintaining up-to-date systems and implementing robust security measures to safeguard sensitive data and ensure business continuity.
Why This Matters Now
The recent disclosure of critical vulnerabilities in SAP's core platforms emphasizes the urgency for organizations to apply patches immediately. Delayed remediation increases the risk of unauthorized access, data breaches, and operational disruptions, especially given the growing sophistication of cyber threats targeting enterprise systems.
Attack Path Analysis
An unauthenticated attacker exploits a memory corruption vulnerability in SAP NetWeaver AS ABAP, leading to initial system access. The attacker then escalates privileges by exploiting a missing authorization check, gaining administrative control. Utilizing this elevated access, the attacker moves laterally to other systems within the network. They establish a command and control channel to maintain persistent access. Sensitive data is exfiltrated through the established channel. Finally, the attacker disrupts operations by deploying ransomware across the compromised systems.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploits a memory corruption vulnerability in SAP NetWeaver AS ABAP (CVE-2026-27671) by sending crafted RFC requests, leading to unauthorized system access.
Related CVEs
CVE-2026-44748
CVSS 9.9An XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows an authenticated attacker to send modified signed XML documents, potentially leading to unauthorized access to sensitive user data and disruption of system usage.
Affected Products:
SAP NetWeaver AS ABAP and ABAP Platform – SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918, SAP_BASIS 919
Exploit Status:
no public exploitCVE-2026-27671
CVSS 9.8A memory corruption vulnerability in SAP NetWeaver/ABAP Platform Application Server ABAP allows an unauthenticated attacker to send crafted RFC requests to vulnerable endpoints, leading to memory corruption.
Affected Products:
SAP NetWeaver AS ABAP and ABAP Platform – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 722EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 91.9
Exploit Status:
no public exploitCVE-2026-22732
CVSS 9.1A vulnerability in Spring Security used by SAP Commerce Cloud and SAP Data Hub may result in HTTP response headers not being written, potentially leading to security misconfigurations.
Affected Products:
SAP Commerce Cloud – HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
SAP Data Hub – HY_DHUB 2205, DHUB_CLOUD 2211
Exploit Status:
no public exploitCVE-2026-40128
CVSS 9A directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container allows an attacker to access arbitrary files on the server.
Affected Products:
SAP NetWeaver Application Server Java (Web Container) – ENGINEAPI 7.50
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Forge Web Credentials: SAML Tokens
Exploitation for Client Execution
Exploitation for Privilege Escalation
Direct Volume Access
Data Obfuscation: Steganography
Application Layer Protocol: Web Protocols
Endpoint Denial of Service: Application Exhaustion Flood
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical SAP NetWeaver and Commerce Cloud vulnerabilities expose enterprise software platforms to authentication bypass, memory corruption, and XML signature wrapping attacks requiring immediate patching.
Financial Services
SAP platform vulnerabilities threaten core banking systems and payment processing infrastructure, enabling unauthorized access to sensitive financial data through SAML authentication bypass exploits.
Retail Industry
SAP Commerce Cloud flaws directly compromise e-commerce platforms and digital sales channels, exposing customer data, payment systems, and order management to directory traversal attacks.
Health Care / Life Sciences
NetWeaver ERP vulnerabilities in healthcare systems risk HIPAA compliance violations through unauthorized patient data access via memory corruption and authentication bypass attack vectors.
Sources
- SAP fixes critical flaws in NetWeaver and Commerce Cloudhttps://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-commerce-cloud/Verified
- SAP Security Patch Day - June 2026https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.htmlVerified
- CVE-2026-22732 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-22732Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it likely limits the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may be constrained by CNSF's ability to enforce strict access controls and monitor for anomalous behavior.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be limited by Zero Trust Segmentation enforcing strict access controls and monitoring for unauthorized privilege escalations.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may be restricted by East-West Traffic Security enforcing strict segmentation and monitoring internal traffic for anomalies.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may be constrained by Multicloud Visibility & Control monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may be limited by Egress Security & Policy Enforcement monitoring and controlling outbound data flows.
The attacker's ability to deploy ransomware may be constrained by the cumulative enforcement of segmentation, access controls, and monitoring, reducing the scope of impact.
Impact at a Glance
Affected Business Functions
- Enterprise Resource Planning (ERP)
- E-commerce Platforms
- Data Integration Services
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to sensitive user data and disruption of system usage.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to access multiple systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of command and control communications.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Apply Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous interactions across cloud environments.
