🔴 Critical  |  Source: The Hacker News


SAP has issued a critical patch for CVE-2026-44747, a CVSS 9.9 out-of-bounds write vulnerability in SAP NetWeaver Application Server ABAP. The flaw allows an authenticated attacker to corrupt memory through logical errors in memory management, potentially exposing or modifying sensitive data. Given NetWeaver ABAP’s widespread use as a core enterprise application platform, the blast radius for unpatched systems is substantial.

Security Architect’s Take: Prioritise patching SAP NetWeaver ABAP instances immediately as part of an emergency change — a CVSS 9.9 with authenticated access as the only barrier is highly exploitable in environments with broad internal user bases or compromised accounts. Review SAP Security Note for CVE-2026-44747, confirm patch deployment across all landscapes (development, QA, production), and validate that SAP systems are not directly internet-exposed without a WAF or SAP Web Dispatcher.

Original advisory: SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data