πŸ”¬ Assessment

SAP Landscape Security Assessment: Managing NetWeaver Vulnerabilities Across Enterprise ERP Environments

CVE-2026-44748 (CVSS 9.9) in SAP NetWeaver ABAP is the second critical SAP vulnerability of 2026 affecting SAML authentication. Enterprise organisations running complex SAP landscapes with multiple NetWeaver instances face challenges in identifying which systems are affected, prioritising patching across landscape tiers, and assessing whether compromise indicators are present.

4 min read
#sap#netweaver#abap#cve-2026-44748#saml#security-assessment#erp-security#vulnerability-assessment#enterprise-applications

CVE-2026-44748, the CVSS 9.9 SAML authentication bypass in SAP NetWeaver ABAP, requires a systematic assessment approach in complex enterprise SAP landscapes. Many large organisations run dozens of NetWeaver instances across development, quality assurance, training, and production landscapes β€” each requiring individual assessment and patching.

Identifying Affected Systems

Step 1: Inventory all NetWeaver ABAP instances

Use the SAP Landscape Management (LaMa) or Solution Manager system landscape directory to enumerate all managed ABAP systems. For unmanaged or non-Solution Manager environments, query the SAP Systems Inventory directly.

Key information to collect per system:

  • System ID (SID) and system number
  • NetWeaver release version
  • Whether the system is accessible via SAML authentication (configured in transaction SAML2)
  • Internet exposure β€” is the SAP router or ICM (Internet Communication Manager) externally accessible?
  • System purpose: production, QA, development, training, demo

Step 2: Check SAML configuration

CVE-2026-44748 only affects systems where SAML 2.0 authentication is enabled. In each ABAP system, check:

Transaction SAML2 β†’ Check if Service Provider is Active

Systems where SAML2 is not configured are not directly affected by CVE-2026-44748 β€” they may still be affected by other June Patch Day vulnerabilities.

Step 3: Assess internet exposure

Systems accessible from the internet (through SAP Web Dispatcher, SAP Router, or direct ICM internet exposure) are at highest risk. An internet-exposed NetWeaver with SAML enabled is exploitable from the internet without authentication.

Systems accessible only from the enterprise intranet are at lower (but non-zero) risk β€” internal attacker or post-compromise exploitation is the relevant threat path.

Patch Prioritisation

TierSystemsPriority
1Internet-exposed production systems with SAML enabledEmergency β€” patch within 24 hours
2Intranet-accessible production systems with SAML enabledHigh β€” patch within 72 hours
3Internet-exposed development/QA systems with SAML enabledHigh β€” development exposure enables testing of exploit code
4Systems without SAML enabledStandard patch cycle

SAP Security Note 3578412: Apply this SAP Note to all affected systems. Application requires appropriate ABAP development authorisation (S_DEVELOP) and transport management authority. Plan for transport testing in QA before production application following your organisation’s standard SAP transport procedure.

Compromise Assessment

For production systems that were internet-exposed with SAML enabled, perform a compromise assessment before declaring the patch successful:

SAP Security Audit Log review (Transaction SM20):

  • Filter for Authentication events with outcome β€œfailure” or unusual user IDs
  • Look for login events from unusual IP addresses β€” especially external IP addresses that are not normally associated with legitimate SAP access
  • Look for SAML assertion processing events followed by administrative actions (user creation, authorisation changes)

SAP System Log review (Transaction SM21):

  • Filter for HTTP request processing errors that may indicate exploitation attempts
  • Look for unusual access to SAML-related function modules (SAML_*, SSO_*)

User administration review (Transaction SU01, SU10):

  • Review recently created users β€” particularly any user created after a suspicious access event
  • Review recent authorisation profile assignments β€” check for privilege escalation (assignment of SAP_ALL or equivalent composite profiles)

Critical authorisation object audit (Transaction SUIM):

  • Who has S_DEVELOP (ABAP development) authorisation? Unexpected accounts with development access could indicate post-compromise credential establishment.
  • Who has recently used RFC connections (SM21 RFC log)? Unexpected RFC activity may indicate lateral movement through SAP RFC connections.

Future SAP Security Posture

Two critical SAP SAML-related vulnerabilities in 2026 suggests the SAML implementation in NetWeaver warrants focused security attention. For organisations with mature SAP security programmes:

SAP Vulnerability Management: Integrate SAP Security Notes into your vulnerability management process β€” SAP Note releases occur on the second Tuesday of each month, aligned with Microsoft Patch Tuesday. Automate notification via SAP’s Security Note alert service.

SAP penetration testing: Commission annual penetration testing of internet-facing SAP systems, specifically targeting authentication mechanisms (SAML, OAuth, SAP SSO) and RFC gateway configurations. Standard enterprise penetration testing rarely covers SAP-specific attack surfaces.

SAP-aware SIEM integration: Configure SIEM ingestion of SAP Security Audit Log (SM20) and System Log (SM21) data. Most SIEM platforms have SAP integration capabilities through dedicated connectors. Without this integration, SAP authentication events are invisible to the security operations team.

Share this article