Critical Memory Corruption vulnerability in SAP NetWeaver AS ABAP patched in collaboration with the Onapsis Research Labs
Highlights of July SAP Security Notes analysis include:
- July Summary – Twenty new and updated SAP security patches released, including four HotNews Notes and six High Priority Notes
- SAP Approuter – Central component affected by one HotNews and one High Priority vulnerability
- Onapsis Research Labs Contribution – Our team supported SAP in patching four vulnerabilities, including one HotNews and one High Priority SAP Security Note
SAP has published twenty new and updated SAP Security Notes in its July Patch Day, including four HotNews Notes and six High Priority Notes. Four of the sixteen new SAP Security Notes were published in collaboration with the Onapsis Research Labs.

The HotNews Notes in Detail
The Onapsis Research Labs (ORL) supported SAP in patching a critical vulnerability in the memory management of an SAP NetWeaver Application Server ABAP. SAP Security Note #3747367, tagged with a CVSS score of 9.9, addresses this Memory Corruption vulnerability and points out that a successful exploit by an authenticated attacker could lead to unauthorized data access, modification, or system unavailability. As a temporary workaround the note proposes to disable all ICF nodes with a specific property in transaction SICF. Since the workaround will disable opening transactions in SAP GUI for HTML, it is not an option for all customers and it is strongly recommended to install the patching ABAP Kernel version.
SAP Security Note #3720138, tagged with a CVSS score of 9.1, patches a HTTP Request Smuggling vulnerability in SAP Approuter. The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization. To avoid the possible strong negative impact on the system’s confidentiality and availability, the vulnerable node.js package must be updated. KBA note #3770203 provides additional information for customers using XSA.
SAP Security Note #3753495, tagged with a CVSS score of 9.1, patches a Hardcoded Credential vulnerability in SAP Commerce Cloud. SAP Commerce Cloud is susceptible to unauthorized data access and modification due to the potential retention of publicly documented, sample OAuth2 client credentials in production environments.
The vulnerability stems from sample configuration scripts previously provided in the SAP Help Portal. These scripts, intended strictly for development and testing, configure OAuth2 clients with hardcoded, well-known credentials. Older versions of the documentation did not explicitly warn customers against importing these default settings into production. An unauthenticated attacker can leverage these publicly available, default credentials to obtain a valid access token. With this token, they can invoke specific APIs to read and alter system data. Exploitation requires that the customer executed the sample script and retained the resulting OAuth2 client in production without replacing the hardcoded secret. Customers who removed the sample client or replaced the secret with a strong, unique value are not affected. The note patches only the SAP Commerce documentation. In a manual remediation step, customers must audit their production environments for the presence of the affected sample OAuth2 client. If the client exists with the original documented clientSecret, it must be removed. Additional information can be found in FAQ Note #3758007.
SAP Security Note #3727078, tagged with a CVSS score of 9.0, addresses a Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) and was initially released in collaboration with the Onapsis Research Labs on SAP’s June Patch Day. SAP has provided support for additional support packages.
The High Priority Notes in Detail
SAP Security Note #3758101, tagged with a CVSS score of 8.8, addresses multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell). The vulnerabilities are tracked under, CVE-2026-40860 (CVSS 8.8), CVE-2026-40453 (CVSS 8.5), and CVE-2026-33454 (CVSS 7.7) and impact message-based header injection and deserialization mechanisms in camel mail and JMS components. SAP has patched all vulnerabilities with SAP Integration Suite Edge Integration Cell version 8.43.11 or later. This version implements a whitelist of safe classes for deserialization, preventing malicious custom classes from being deserialized and executed on the server.
SAP Security Note #3692165, tagged with a CVSS score of 8.4, patches a DLL Hijacking vulnerability in SAProuter on Microsoft Windows. It allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. The note provides patches for stand-alone SAProuters and SAProuters in the SAP kernel. The note points out that the patch is not a replacement for securing the SAProuter installation folder with the proper write protection.
SAP Security Note #3748227, tagged with a CVSS score of 8.2, was published in collaboration with the Onapsis Research Labs (ORL). It patches a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard). The ORL team was able to inject malicious JavaScript through crafted URLs as an unauthenticated attacker. When a victim accesses such a URL, the script executes in the user’s browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the client’s browser. As a temporary workaround, the application aliases can be disabled.
SAP Security Note #3741519, tagged with a CVSS score of 8.1, patches an Open Redirect vulnerability in SAP Approuter. Under certain configurations, SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow. This enables an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. A successful exploitation results in a high impact to the confidentiality and integrity of the application.
SAP Security Note #3763800, tagged with a CVSS score of 8.1, is titled ‘Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud’. The vulnerabilities are tracked under CVE-2026-43512 (CVSS 8.1), CVE-2026-41293 (CVSS 8.1), and CVE-2026-43515 (CVSS 7.4). We recommend checking the note carefully. Contrary to the note title, it also appears to contain patches for SAP Data Hub in the Public Cloud and SAP Commerce and SAP Data Hub on premise. Customers should also check the referenced FAQ document #3768608.
SAP Security Note #3773304, tagged with a CVSS score of 7.6, patches a Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach). The vulnerability allows an authenticated attacker to supply a specially crafted archive file which, when processed by the application’s library, can trigger insecure deserialization and lead to remote code execution (RCE) on the system. Successful exploitation requires a victim to process the malicious archive, enabling the attacker to execute the RCE and extract sensitive information and gain control over the system and its processes. With the release of the Security Note, SAP stops supporting the tool and recommends to stop using it and to remove all copies from the system.
Onapsis Contribution
In addition to HotNews Note #3747367 and High Priority Note #3748227, the Onapsis Research Labs (ORL) supported SAP in patching another two vulnerabilities.
SAP Security Note #3746678, tagged with a CVSS score of 6.1, patches a Cross Site Scripting vulnerability in SAP NetWeaver Enterprise Portal. The ORL team was able to inject malicious scripts into a URL parameter without the need for authentication. The scripts are reflected in the server response and executed in a user’s browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection.
SAP Security Note #3732522, tagged with a CVSS score of 3.7, addresses an Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service). Under certain conditions, the HANA XS classic model user self service does not return a generic response when invalid input was supplied, allowing distinction between valid and invalid entries. An unauthenticated attacker could exploit this by sending specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses.  Â
Summary & Conclusions
With twenty SAP Security Notes, including four HotNews Notes and six High Priority Notes, SAP’s July Patch Day is another busy one. Four SAP Security Notes were released in collaboration with the Onapsis Research Labs and thus, our team could once more significantly contribute to making SAP applications more secure.
| SAP Note | Type | Description | Priority | CVSS |
| 3747367 | New | [CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP BC-FES-ITS | HotNews | 9.9 |
| 3720138 | New | [CVE-2026-27690] HTTP Request Smuggling in SAP Approuter BC-XS-APR | HotNews | 9.1 |
| 3753495 | New | [CVE-2026-44761] Insecure Sample Credentials in SAP Commerce Cloud CEC-SCC-COM-BC-OCC | HotNews | 9.1 |
| 3727078 | Update | [CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container) BC-JAS-WEB | HotNews | 9.0 |
| 3758101 | New | [CVE-2026-40860] Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell) LOD-HCI-PI-CON-SOAP | High | 8.8 |
| 3692165 | New | [CVE-2026-0487] DLL Hijacking vulnerability in SAProuter on Microsoft Windows BC-CST-NI | High | 8.4 |
| 3748227 | New | [CVE-2026-44752] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard) BC-INS-CTC-RT | High | 8.2 |
| 3763800 | New | [Multiple CVEs] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud CEC-SCC-PLA-PL | High | 8.1 |
| 3741519 | New | [CVE-2026-44745] Open Redirect vulnerability in SAP Approuter BC-CP-APR | High | 8.1 |
| 3773304 | New | [CVE-2026-58233] Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach) BC-CTS-TMS-PLS | High | 7.6 |
| 3746678 | New | [CVE-2026-44759] Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal EP-PIN-AI-SRA | Medium | 6.1 |
| 3692004 | Update | [CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP BC-FES-ITS | Medium | 6.1 |
| 3537373 | New | [CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) PPM-PRO | Medium | 5.5 |
| 3754659 | New | [CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) BC-BSP | Medium | 4.7 |
| 3515598 | New | [CVE-2026-44771] Missing Authorization check in SAP S/4HANA (Draft operation) FIN-FSCM-CLM-COP | Medium | 4.3 |
| 3713902 | New | [CVE-2026-44770] Missing Authorization check in SAP S/4 HANA (Create Single Payment) FI-FIO-AP-PAY | Medium | 4.3 |
| 3682699 | Update | [CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad) CA-FLP-FE-COR | Medium | 4.2 |
| 3155685 | New | [CVE-2026-44768] Security misconfiguration in SAP CRM (WebClient UI) CA-WUI-UI | Medium | 4.1 |
| 3732522 | New | [CVE-2026-44753] – Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) HAN-AS-XS | Low | 3.7 |
| 3726899 | Update | [CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java BC-JAS-SEC-UME | Low | 3.3 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.
