July 2026 · 17 notes
Patch IntelligenceSAP Security Patches
Every SAP Security Note from Patch Tuesday, ranked by what actually matters to your landscape. Tier 1 products are in almost every SAP shop — missing a patch there is career-ending for BASIS admins.
3
Critical
6
High
7
Medium
1
Low
Tier 1 · Always covered
Products in virtually every SAP environment. Patch these first, every month.
Memory Corruption in SAP NetWeaver AS ABAP Internet Transaction Server
A memory corruption vulnerability in the Internet Transaction Server (ITS) component of SAP NetWeaver AS ABAP allows a remote attacker to send specially crafted HTTP requests that corrupt memory, enabling arbitrary code execution. Successful exploitation compromises confidentiality, integrity, and availability of the affected system. The CVSS 9.9 score reflects broad version coverage and low exploit complexity.
Cross-Site Scripting in SAP NetWeaver AS Java Configuration Wizard
Unauthenticated cross-site scripting vulnerability in the Configuration Wizard component of SAP NetWeaver Application Server Java. An attacker can craft a malicious URL targeting the Configuration Wizard that, when visited by an authenticated administrator, executes scripts in the victim's browser context — potentially enabling session hijacking or administrative action injection.
Remote Code Execution in SAP Change and Transport System Attach Tool
An insecure deserialization vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) allows an attacker with network access to the tool to send a maliciously crafted payload that triggers remote code execution on the server hosting ctsattach. The CTS Attach Tool is used for attaching external systems to the SAP Change and Transport System.
Open Redirect in SAP NetWeaver AS ABAP Internet Transaction Server
An open redirect vulnerability in the Internet Transaction Server (ITS) component of SAP NetWeaver AS ABAP allows an unauthenticated attacker to craft a URL that redirects users to an external attacker-controlled domain, enabling phishing attacks targeting SAP users.
Cross-Site Scripting in SAP NetWeaver AS ABAP Business Server Pages
Cross-site scripting vulnerability in the Business Server Pages (BSP) component of SAP NetWeaver AS ABAP. An attacker can craft a URL targeting a BSP application that, when visited by an authenticated user, executes scripts in the victim's browser context.
Missing Authorization Check in SAP S/4HANA Draft Operations
Missing authorisation check in the Draft Operations functionality within the Cash and Liquidity Management component of SAP S/4HANA. An authenticated user can access or modify draft financial documents beyond their intended authorisation scope.
Missing Authorization Check in SAP S/4HANA Single Payment
Missing authorisation check in the Single Payment functionality of SAP S/4HANA Accounts Payable Fiori app. An authenticated attacker can initiate or view payment transactions beyond their intended authorisation, potentially triggering or viewing financial payments without proper approval.
Tier 2 · Covered when notable
Products with real deployments that have something worth acting on this month.
HTTP Request Smuggling in SAP Approuter
An HTTP request smuggling vulnerability in SAP Approuter allows an unauthenticated remote attacker to inject malicious HTTP requests that are interpreted differently by the Approuter and the upstream application server. This can be used to bypass security controls, hijack authenticated sessions, or poison server-side caches. Exploitable in non-Cloud Foundry deployment environments.
Hardcoded Sample OAuth2 Credentials in SAP Commerce Cloud OCC
SAP Commerce Cloud ships sample OAuth2 credentials in default configuration files for the OCC (Omnichannel Commerce) API layer. These sample credentials remain active in production environments where the default configuration has not been explicitly replaced. An attacker who discovers these credentials — which are publicly documented in SAP sample code — gains authenticated API access with the permissions of the sample client, potentially enabling unauthorised data access and modification across the commerce platform.
Apache Camel Vulnerabilities in SAP Integration Suite Edge Integration Cell
Multiple deserialization and code execution vulnerabilities in the Apache Camel framework (CVE-2026-40860, CVE-2026-40453, CVE-2026-33454) affect SAP Integration Suite Edge Integration Cell deployments prior to version 8.43.11. Successful exploitation can allow an attacker with access to integration endpoints to trigger remote code execution via malicious payloads in Camel routes.
DLL Hijacking in SAProuter for Windows
A DLL hijacking vulnerability in the SAProuter Windows installation allows a local attacker with write access to the SAProuter directory to place a malicious DLL that is loaded on SAProuter startup, resulting in arbitrary code execution with the privileges of the SAProuter process. SAProuter typically runs with elevated permissions and has network access to all SAP systems in the landscape.
Open Redirect in SAP Approuter OAuth2 Login Flow
An open redirect vulnerability in the OAuth2 login flow of SAP Approuter allows an unauthenticated attacker to craft a URL that redirects users to an attacker-controlled domain after authentication. This enables phishing attacks that harvest SAP credentials or tokens by redirecting victims post-login.
Multiple Apache Tomcat Vulnerabilities in SAP Commerce Cloud
Multiple Apache Tomcat vulnerabilities (CVE-2026-43512, CVE-2026-41293, CVE-2026-43515) in the embedded Tomcat server of SAP Commerce Cloud. The flaws include memory management issues and request handling defects in Tomcat that can be exploited to cause denial of service or, under specific conditions, trigger further compromise of the Commerce Cloud application server.
Reflected XSS in SAP NetWeaver Enterprise Portal
Reflected cross-site scripting vulnerability in URL parameters of SAP NetWeaver Enterprise Portal. An attacker can craft a malicious URL that, when visited by an authenticated portal user, executes scripts in the victim's browser context, enabling session hijacking or credential theft.
SQL Injection in SAP S/4HANA Portfolio and Project Management
SQL injection vulnerability in the Portfolio and Project Management (PPM) module of SAP S/4HANA. An authenticated attacker can inject SQL statements through unsanitised input fields, potentially accessing or modifying project and portfolio data beyond their authorised scope.
Tier 3 · Critical CVEs only
Niche or SaaS-only products. Covered here when severity warrants it.
Security Misconfiguration in SAP CRM WebClient UI
A security misconfiguration in the SAP CRM WebClient UI exposes internal configuration or session information that could be leveraged by an authenticated attacker to gain additional access or map internal system structure.
Information Disclosure via Distinguishable Responses in SAP HANA XS Classic
An information disclosure vulnerability in the User Self Service component of SAP HANA Extended Application Services Classic (XS Classic) allows an unauthenticated attacker to enumerate valid usernames by observing differences in server responses to valid versus invalid user inputs during password reset or login flows.