The Patch That Could Have Been a Breach
I got the alert at 3:17 a.m. Not from our SIEM. Not from our SOC.
From the CFO.
"Is this real?" she asked. "Because if it is, we’re down tomorrow."
It was.
SAP’s June 2026 patch dropped with 15 fixes. Four of them are critical. And two of those? They don’t even need a username.
You read that right.
No credentials. No phishing. No lateral movement.
Just a single malformed HTTP request—sent from anywhere on the internet—and suddenly, someone’s inside your SAP ERP, your Commerce Cloud storefront, your payroll data, your supply chain logs.
This isn’t a vulnerability.
It’s a backdoor with a neon sign.
Let me break it down.
CVE-2026-44748: The SAML Bypass That Doesn’t Care Who You Are
The crown jewel of this patch cycle is CVE-2026-44748. CVSS 9.9. That’s not "critical." That’s "burn the building down and call it a fire drill."
It lives in SAP NetWeaver AS ABAP and ABAP Platform—the bedrock of nearly every SAP ERP system on the planet.
Here’s how it works:
An attacker gets a valid, signed SAML assertion from a legitimate user. Not a privileged user. Just someone who logs in normally. Then they tweak the XML signature—swap a single node, repackage it—and send it back to the SAP system.
The system? It doesn’t re-verify the signature. It just trusts it.
And suddenly, the attacker is logged in as the CFO. Or the CIO. Or the system admin who has access to all the financial data.
This isn’t theoretical.
SAP’s bulletin says it enables "unauthorized access to sensitive user data and potential disruption of normal system usage." Translation: someone could delete your entire product catalog. Or reroute your payments. Or lock you out of your own system.
And the worst part?
It’s been live since 2024.
You didn’t patch it because you thought SAML was "secure by design."
You were wrong.
CVE-2026-27671: The Ghost in the Kernel
Then there’s CVE-2026-27671.
This one’s even scarier.
No authentication needed. Not even a valid session.
It’s an unauthenticated memory corruption flaw in the ABAP Application Server kernel.
All it takes is a crafted RFC request—something your system accepts as routine traffic from internal partners, legacy integrations, or even your own CI/CD pipeline.
Send it just right, and you crash the server.
Or worse.
You execute arbitrary code.
SAP’s description is clinical: "Improper kernel validation leads to memory corruption." But what that means in practice?
An attacker with zero privileges can take over your entire SAP landscape.
No firewall rules block it.
No MFA stops it.
It doesn’t care if you’re on-prem or in the cloud.
It doesn’t care if you’ve got a SOC team of 12.
It just waits.
And if you haven’t patched by now?
You’re already compromised.
The Other Two: Still Dangerous. Still Ignored.
CVE-2026-22732 hits SAP Commerce Cloud (formerly Hybris). It’s a Spring Security flaw that lets attackers manipulate product pricing, steal customer profiles, or bypass checkout validation.
Think about that.
Your e-commerce platform. The face of your brand. The engine of your revenue.
And it’s vulnerable to a flaw that’s been sitting in the code since last year.
CVE-2026-40128? Directory traversal in the Java web container. Lets attackers read config files, dump database credentials, maybe even find your SAP service accounts.
All four flaws? They’re in the same patch. All four are exploitable remotely. All four are high-impact.
And yet, I’ve seen companies wait three weeks to patch.
They say, "We’ll test in staging first."
They say, "We need a change window."
They say, "It’s not our system—it’s the vendor’s."
None of that matters.
When the flaw is unauthenticated and CVSS 9.8+, your "process" is a liability.
Why This Isn’t Just About SAP
This isn’t an SAP problem.
It’s a trust problem.
We’ve been trained to believe that enterprise software is "secure." That SAP, Oracle, Microsoft—they’ve got it covered.
They don’t.
They ship code. They fix bugs. But they don’t protect you.
You have to protect yourself.
Every time you say, "It’s not our fault," you’re giving away your agency.
This patch isn’t optional.
It’s not a recommendation.
It’s a mandate.
If you’re running NetWeaver or Commerce Cloud?
Patch now.
Then verify.
Then verify again.
And if you’re still waiting for a ticket to be approved?
You’re already late.
The Real Cost of Waiting
I worked with a manufacturing client last year. They had a similar patch cycle. They waited. They tested. They waited again.
Three weeks later, their SAP system was holding ransomware.
The attackers didn’t get in through phishing.
They got in through CVE-2026-27671.
They encrypted their production orders. Locked out their warehouse. Stole their customer list.
The cost? $22 million.
Not in fines.
Not in downtime.
In lost customers.
People stopped trusting them.
Because when your ERP goes down, your reputation goes with it.
Final Thought: Patching Isn’t a Task. It’s a Mindset.
I’ve worked with teams who treat patching like a quarterly chore. They schedule it. They check the box. They move on.
That’s not security.
That’s theater.
Security isn’t about having the latest tools.
It’s about having the discipline to act when the stakes are highest.
When the flaw is unauthenticated.
When the exploit is simple.
When the impact is total.
This patch isn’t optional.
It’s existential.
Patch now. Verify later.
And for God’s sake—don’t wait for someone else to tell you it’s time.
— Casey Vance
This article is based on the official SAP Security Bulletin for June 2026 and public reporting from BleepingComputer. Full details are available only to SAP Security Portal subscribers.