critical2026-07-14SAP NetWeaverCVE-2026-44747

Memory Corruption in SAP NetWeaver AS ABAP Internet Transaction Server

SAP NetWeaver AS ABAP (Internet Transaction Server)

Our Take

CVSS 9.9 on a memory corruption vulnerability in a core NetWeaver component is the highest possible threat level for most SAP shops. ITS handles web-based SAP transactions and is often internet-facing. If you have not already patched, this is your weekend call.

Vulnerability Detail

A memory corruption vulnerability in the Internet Transaction Server (ITS) component of SAP NetWeaver AS ABAP allows a remote attacker to send specially crafted HTTP requests that corrupt memory, enabling arbitrary code execution. Successful exploitation compromises confidentiality, integrity, and availability of the affected system. The CVSS 9.9 score reflects broad version coverage and low exploit complexity.

Workaround

Restrict external access to ITS web endpoints using a WAF or reverse proxy. If ITS is not required, consider disabling it until the patch is applied.

Patch Action

Apply SAP Note 3747367 immediately. Verify affected versions in the official SAP Note. A system restart is required after patching.

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.9

SAP Note

3747367

CVE

CVE-2026-44747

Published

2026-07-14

← All patches