// #sap
6 articles
SAP Landscape Security Assessment: Managing NetWeaver Vulnerabilities Across Enterprise ERP Environments
CVE-2026-44748 (CVSS 9.9) in SAP NetWeaver ABAP is the second critical SAP vulnerability of 2026 affecting SAML authentication. Enterprise organisations running complex SAP landscapes with multiple NetWeaver instances face challenges in identifying which systems are affected, prioritising patching across landscape tiers, and assessing whether compromise indicators are present.
SAP June 2026 Security Patch Day: CVSS 9.9 SAML Authentication Bypass CVE-2026-44748 in NetWeaver ABAP
SAP's June 2026 Security Patch Day includes CVE-2026-44748, a CVSS 9.9 authentication bypass in SAP NetWeaver Application Server ABAP that allows unauthenticated remote attackers to forge SAML assertions and impersonate any user including system administrators. Twenty-one additional CVEs were patched, including three rated Critical.
SAP May 2026 Security Patch Day: Critical SQL Injection in S/4HANA and Unauthenticated RCE in Commerce Cloud
SAP's May 2026 Security Patch Day addresses 14 vulnerabilities including two Critical-rated flaws: a SQL injection in S/4HANA Enterprise Search (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution in Commerce Cloud's Spring Security configuration (CVE-2026-34263, CVSS 9.6). Organisations running SAP ERP or e-commerce infrastructure should patch immediately.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.
SAP April 2026 Patch Day: CVE-2026-34256 ABAP Code-Overwrite Lets Authenticated Attacker Sabotage Core ERP Functions
SAP's April 2026 Security Patch Day includes a fix for CVE-2026-34256, an ABAP code-overwrite vulnerability rated CVSS 7.1 that allows an authenticated attacker with low-privilege access to modify executable ABAP programme objects, potentially corrupting core business logic in SAP ERP, S/4HANA, and BW systems. The flaw requires no special administrative roles and affects all SAP NetWeaver ABAP Server releases through the current patched version.
SAP BPC SQL Injection (CVE-2026-27681, CVSS 9.9) Gives Low-Privilege Users Full Access to Financial ERP Data
A near-perfect CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation and BW/4HANA allows any authenticated user with standard access to read, modify, and delete financial consolidation data. SAP patched the flaw in its April 2026 Security Patch Day; organisations should treat unpatched SAP financial systems as having their financial data integrity at risk from any internal user with SAP credentials.