SAP has issued its July 2026 Security Patch Day updates, aiming to resolve a critical memory corruption vulnerability identified in the SAP NetWeaver Application Server ABAP. This significant flaw, cataloged as CVE-2026-44747, holds a CVSS score of 9.9 and impacts several SAP kernel versions utilized in enterprise settings.
Details of the Critical Vulnerability
On July 14, SAP unveiled 16 new security notes and a GitHub security advisory, also updating three previously released notes. It is crucial for administrators to examine affected systems and prioritize the application of these fixes through the SAP Support Portal. The critical NetWeaver ABAP vulnerability is detailed in SAP Security Note 3747367. CVE-2026-44747 involves memory corruption due to improper handling of memory operations, potentially allowing an attacker to alter program execution, access sensitive data, disrupt services, or execute malicious code under specific circumstances.
This vulnerability affects various SAP kernel and NetWeaver versions, such as KRNL64NUC and KRNL64UC 7.22 and 7.22EXT, alongside versions 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, and 9.20. Organizations are advised to confirm their software components and patch levels in their SAP environment before deploying the patch.
Additional Critical Vulnerabilities
The CVSS vector associated with this vulnerability indicates that exploitation is network-based, requiring low attack complexity and privileges, with no need for user interaction. Successful exploitation could detrimentally affect confidentiality, integrity, and availability. Furthermore, changes in the attack scope imply that a compromised component may influence resources beyond its initial security perimeter.
SAP’s July Patch Day also addresses two other critical vulnerabilities: CVE-2026-27690, an HTTP request smuggling issue in SAP Approuter versions prior to 20.10.0, rated 9.1, and CVE-2026-44761, which affects SAP Commerce Cloud releases HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21 due to insecure sample credentials, also rated 9.1. These vulnerabilities could enable unauthorized access and manipulation of HTTP requests.
Recommendations for Administrators
SAP has updated its June security note for CVE-2026-40128, a directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container, with a CVSS score of 9.0. This flaw may allow attackers to access or modify files outside of the intended directory path. Security teams should prioritize SAP Note 3747367, verify kernel compatibility, test patches in non-production environments, and expedite deployment for internet-facing or business-critical NetWeaver instances.
Administrators should also limit unnecessary network access to SAP application servers, review privileged accounts, monitor system logs for unusual activity, and ensure backups are available before maintenance. SAP Security Patch Days are a regular avenue for releasing corrective Security Notes, and SAP advises customers to review and implement relevant notes to safeguard their SAP landscapes.
Strengthen your Security Operations Center (SOC) by integrating ANY.RUN for enhanced threat detection and rapid incident responses.
