SAP Fixes Critical 9.9 Severity Flaw in NetWeaver ABAP Platform
SAP released its July 2026 security updates addressing several vulnerabilities, with the most severe being CVE-2026-44747, a critical out-of-bounds write flaw in SAP NetWeaver Application Server ABAP scored at 9.9 on the CVSS scale. This vulnerability allows authenticated attackers to exploit memory-management errors, leading to memory corruption that could enable unauthorized access to data, modifications, or service disruptions. While a temporary workaround exists involving disabling specific ICF nodes through transaction SICF, this approach blocks certain SAP GUI for HTML functionality and is not practical for all environments, making installation of the patched ABAP Kernel the strongly recommended solution.
Another critical vulnerability, CVE-2026-44761, stems from an unfortunate configuration issue related to SAP's own documentation. Sample configuration scripts published on the SAP Help Portal for development and testing purposes created OAuth 2.0 clients with hard-coded, publicly known credentials. The problem arose when organizations unknowingly imported these sample configurations into production environments without changing the default secrets, essentially leaving the front door open with a key under the mat. An unauthenticated attacker who knows these well-known credentials can obtain valid access tokens and use certain APIs to read and modify sensitive data, though the vulnerability does not affect system availability.
The root cause of CVE-2026-44761 highlights a documentation gap where older SAP materials failed to adequately warn users against deploying sample configurations in production systems. Organizations that either deleted the sample OAuth 2.0 client or replaced its default secret with a strong, unique credential are not vulnerable. Security teams should immediately audit their production SAP environments to identify any instances of these sample clients and remove them or rotate their credentials.
While there is currently no evidence of active exploitation of these vulnerabilities in the wild, the critical nature of these flaws and their potential impact make immediate patching essential. The combination of memory corruption vulnerabilities and authentication bypass issues represents significant risk to organizations running SAP systems, particularly given the sensitive business data these platforms typically handle. Security professionals should prioritize these updates and conduct thorough reviews of their SAP configurations to ensure no other development or testing artifacts remain in production environments.
Stay secure — stay Wavasec. 🔐