SAP July 2026 Patch Day: Critical CVSS 9.9 Flaw in NetWeaver ABAP Demands Immediate Action
SAP July 2026 Patch Day: Critical CVSS 9.9 Flaw in NetWeaver ABAP Demands Immediate Action
SAP released its July 2026 Security Patch Day on July 14 with 16 new security notes, one GitHub security advisory, and three updates to previously issued notes. Four of the new notes carry HotNews priority, SAP's highest-urgency classification for vulnerabilities with CVSS scores of 9.0 or above. None of the newly disclosed flaws are confirmed as exploited in the wild as of publication, but that is a window, not a reason to wait.
The lead vulnerability: CVE-2026-44747 in NetWeaver AS ABAP (CVSS 9.9)
The most severe issue this cycle is CVE-2026-44747, a memory corruption vulnerability in SAP NetWeaver Application Server ABAP. It affects a wide range of kernel versions, from KRNL64NUC and KRNL64UC 7.22 through 7.22EXT, to KERNEL 7.22 through 9.20. That range covers both legacy and current NetWeaver deployments, which means most organizations running SAP on-premise are exposed.
An authenticated attacker with low privileges can exploit logical errors in memory management to trigger memory corruption on affected kernel versions. The flaw carries a changed scope, meaning successful exploitation can affect systems beyond the vulnerable component itself. SAP's advisory warns that impacts span confidentiality, integrity, and availability, with arbitrary code execution as a realistic worst-case outcome.
SAP has assigned this flaw to Security Note 3747367. Organizations that cannot patch immediately can use the temporary workaround of disabling all ICF nodes with a specific property in transaction SICF. That said, the workaround limits functionality and should not be treated as a permanent fix.
Two more critical flaws: Approuter and Commerce Cloud
CVE-2026-27690 (CVSS 9.1) affects SAP Approuter versions prior to 20.10.0 deployed outside Cloud Foundry environments. Approuter is a Node.js-based middleware layer that sits at the front of many SAP BTP application landscapes, routing requests to backend microservices. An unauthenticated attacker can send a crafted HTTP request that causes request-response desynchronization, exposing one user's response to another session and enabling denial-of-service conditions.
CVE-2026-44761 (CVSS 9.1) affects SAP Commerce Cloud releases HY_COM 2205 and COM_CLOUD 2211. The problem is straightforward: sample OAuth2 configuration scripts provided in SAP Help Portal documentation created OAuth2 clients with publicly documented credentials. Any organization that ran those scripts in production and did not replace the default secret is exposed. An unauthenticated attacker who knows these credentials can obtain a valid access token and invoke specific APIs to read and modify system data. Organizations that removed the sample client or replaced the secret with a strong, unique value are not affected.
High-severity fixes worth reviewing
Beyond the three critical notes, high-severity issues include multiple Apache Camel vulnerabilities in SAP Integration Suite's Edge Integration Cell (CVE-2026-40860, CVSS 8.8), a DLL hijacking flaw in SAProuter on Windows (CVE-2026-0487, CVSS 8.4), and Apache Tomcat vulnerabilities in Commerce Cloud (CVSS 8.1). SAP also updated its June advisory for CVE-2026-40128, a directory traversal in the NetWeaver AS Java Web Container (CVSS 9.0).
Why SAP patching pressure keeps rising
CISA has added 14 SAP vulnerabilities to its Known Exploited Vulnerabilities catalog since November 2021. Two of them were used by ransomware operators in confirmed attacks. In 2026, AI-assisted attack tools are routinely used to reverse-engineer security patches and generate working exploits within hours of release. That compression of the exploitation timeline makes rapid patch deployment, especially for HotNews notes, a direct operational priority rather than a best-practice recommendation.
SAP systems hold concentrated enterprise-critical data: financials, HR records, supply chain data, customer master files. A successful SAP breach gives an attacker access to all of it in one move, which is exactly why threat actors target these environments.
For organizations managing SAP landscapes at scale, manual patch tracking across complex ERP estates quickly becomes unmanageable. Security platforms such as tozenLabs specialize in automated SAP vulnerability monitoring and patch compliance, giving security teams real-time visibility into exposure across their SAP kernel versions, Approuter deployments, and Commerce Cloud configurations, so they can act before a disclosed flaw becomes an active incident.
Administrators should access the affected security notes through the SAP Support Portal, prioritize SAP Note 3747367 for the NetWeaver ABAP flaw, verify all Approuter deployments are updated to version 20.10.0 or later, audit Commerce Cloud environments for any remaining sample OAuth2 clients, and review Integration Suite edge nodes for Apache Camel updates.