SAP Patches a CVSS 9.9 Flaw: What Every Enterprise Running NetWeaver Needs to Do Now
SAP's July 2026 Security Patch Day, released on July 14, addressed 16 new security vulnerabilities across its enterprise product lineup, including a memory corruption flaw in NetWeaver Application Server ABAP carrying the maximum CVSS score of 9.9. If your organization runs SAP, this month's update is not one to defer to the next maintenance window.
The most critical vulnerability: CVE-2026-44747
Tracked as CVE-2026-44747, the NetWeaver ABAP flaw sits at the top of this cycle. SAP describes it as a memory corruption issue caused by logical errors in how certain kernel versions handle memory management. A low-privileged attacker can exploit it remotely, compromising the confidentiality, integrity, and availability of the affected system.
The flaw spans a wide range of kernel releases: KRNL64NUC and KRNL64UC 7.22 through 7.22EXT, and KERNEL 7.22 through 9.20, which covers both legacy and current NetWeaver deployments. SAP Security Note 3747367 contains the full remediation details. Given the CVSS score and the breadth of affected versions, this should be treated as an emergency patch rather than a scheduled maintenance item.
Two more critical flaws in this cycle
CVE-2026-27690 is an HTTP request smuggling vulnerability in SAP AppRouter, versions prior to 20.10.0, rated CVSS 9.1. It can be exploited without authentication. Request-smuggling attacks disrupt how front-end proxies communicate with back-end applications, which can let attackers bypass security controls entirely, poison caches shared by other users, or expose sensitive requests.
CVE-2026-44761 affects SAP Commerce Cloud versions HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21, also rated CVSS 9.1. The problem is insecure sample credentials shipped with default installations. Default credentials are one of the most common and avoidable attack vectors in enterprise software. If Commerce Cloud instances are running with factory-set sample accounts, that needs to change immediately.
SAP also updated the June advisory for CVE-2026-40128, a directory traversal flaw in the NetWeaver AS Java Web Container carrying a CVSS score of 9.0. That flaw allows unauthenticated attackers to access or modify files outside the intended directory simply by having network access to a reachable endpoint.
Why SAP systems are under increasing pressure
SAP environments hold financial transactions, HR records, supply chain data, production schedules, and customer master data, all in one system. That concentration of value makes them priority targets for ransomware groups, financially motivated attackers, and nation-state actors. A successful breach gives attackers access to all of it simultaneously.
Security researchers at Onapsis note that AI-assisted attack tools in 2026 can reverse-engineer SAP security patches and generate working exploits within hours of a patch's public release. The gap between patch availability and active exploitation is shrinking, which changes the calculus around deferred patching.
This cycle's release comes weeks after the Mini Shai-Hulud supply chain attack in May 2026, which compromised four SAP npm packages and affected more than 1,800 developers. That incident demonstrated that the attack surface for SAP environments now extends beyond production systems into developer toolchains and CI/CD pipelines.
What to do right now
Administrators should pull the complete list of SAP Security Notes from the July 2026 advisory page and identify which versions are running in their environment. Priority goes to any internet-facing Approuter deployments, Commerce Cloud instances, and NetWeaver systems running the affected kernel versions.
In parallel, remove sample accounts, rotate exposed credentials, validate reverse-proxy configurations, and review SAP logs for unusual activity or unauthorized access attempts. Organizations looking for automated monitoring and advisory tools specifically built for SAP security posture, including identity and access management controls for ERP environments, can find relevant resources at tozenlabs.com. Purpose-built ERP security intelligence tools can reduce the time between patch release and validated remediation, which matters more now that exploitation windows are measured in hours rather than days.
The cost of a breach in a core SAP environment, across data exposure, regulatory penalties, operational downtime, and recovery, consistently exceeds the cost of an annual security program. Patching quickly remains the most cost-effective option available.