THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-09-F3
CYBER · cves zero days · 2026-06-09SCOOP 66

SAP patches 4 critical flaws up to CVSS 9.9 in NetWeaver and Commerce Cloud on June Patch Day

SAP's June 2026 Security Patch Day, released June 9, delivered 15 new security notes including four HotNews-rated vulnerabilities — an unusually critical batch for the ERP vendor.

·FILED ISSUE 2026-06-09·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • SAP released 15 new security notes on June 9, 2026, including four HotNews-rated vulnerabilities
  • CVE-2026-44748 (CVSS 9.9): XML Signature Wrapping flaw in SAML authentication for NetWeaver AS ABAP and ABAP Platform
  • CVE-2026-27671 (CVSS 9.8): memory corruption in the AS ABAP kernel exploitable via crafted RFC requests without credentials
  • CVE-2026-22732 (CVSS 9.1): Spring Security flaw affecting SAP Commerce Cloud and SAP Data Hub, unauthenticated remote exploitation
  • CVE-2026-40128 (CVSS 9.0): directory traversal in NetWeaver AS Java Web Container

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
SAP patches 4 critical flaws up to CVSS 9.9 in NetWeaver and Commerce Cloud on June Patch
via SecurityWeek

SAP's June 2026 Security Patch Day, released June 9, delivered 15 new security notes including four HotNews-rated vulnerabilities — an unusually critical batch for the ERP vendor. The most severe, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform that lets a low-privileged authenticated attacker obtain a valid signed message and transmit modified signed XML documents, enabling tampered identity assertions, unauthorized access to sensitive user data and privilege escalation across enterprise systems.

CVE-2026-27671 (CVSS 9.8) is a memory-corruption bug in the Application Server ABAP kernel triggered by specially crafted RFC requests that exploit improper protocol validation without any valid credentials. CVE-2026-22732 (CVSS 9.1) inherits a Spring Security framework vulnerability into SAP Commerce Cloud and SAP Data Hub, exploitable by unauthenticated remote attackers without user interaction, while CVE-2026-40128 (CVSS 9.0) is a directory traversal flaw in the NetWeaver Application Server Java Web Container exposing sensitive resources.

The release also comprises two High-priority notes, seven Medium and two Low, plus fixes for high-severity Apache Tomcat flaws in Commerce Cloud and a missing authorization check in NetWeaver. SAP urged customers to visit the Support Portal and apply the patches 'on priority.'

Why it matters

SAML-bypass and unauthenticated RFC memory-corruption flaws sit at the identity and protocol core of thousands of enterprise ERP landscapes, and SAP HotNews bugs have historically been weaponized within weeks of disclosure.

Key facts on file

  • SAP released 15 new security notes on June 9, 2026, including four HotNews-rated vulnerabilities
  • CVE-2026-44748 (CVSS 9.9): XML Signature Wrapping flaw in SAML authentication for NetWeaver AS ABAP and ABAP Platform
  • CVE-2026-27671 (CVSS 9.8): memory corruption in the AS ABAP kernel exploitable via crafted RFC requests without credentials
  • CVE-2026-22732 (CVSS 9.1): Spring Security flaw affecting SAP Commerce Cloud and SAP Data Hub, unauthenticated remote exploitation
  • CVE-2026-40128 (CVSS 9.0): directory traversal in NetWeaver AS Java Web Container
  • Release breakdown: 4 HotNews, 2 High, 7 Medium, 2 Low priority notes

PRIMARY SOURCE

SAP
— SAP Product Security Response (2026-06-09) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARYSAP— SAP Product Security Response (2026-06-09)
CORROB.SecurityWeek— Ionut Arghire (2026-06-09)
CORROB.heise online— (2026-06-09)
CORROB.BleepingComputer— (2026-06-09)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-09-f3 · filed 2026-06-09 · https://thedwire.com/wire/cyb-2026-06-09-f3-sap-patches-4-critical-flaws-up-to-cvss-9-9-in-netweaver.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against
via CrowdStrike
CYBER · SCOOP 60

CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against tech sector

CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry globally — over the report's April 1, 2025 to March 31, 2026 window, with campaigns focused on stealing AI capabilities

✓ verifiednewSOURCE ↗
READ THE FILE ›
Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives a
Help Net Security
CYBER · SCOOP 74

Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies three days to patch

Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quantum Spark firewalls, and released an emergency hotfix. The logic flaw in certificate validation allows attackers to esta

✓ verifiednewSOURCE ↗
READ THE FILE ›
ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in &
Security Affairs
CYBER · SCOOP 64

ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in 'Pay-or-Leak' Extortion

The extortion group ShinyHunters published approximately 234 GB of data stolen from dental-benefits administrator DentaQuest, a subsidiary of Sun Life Financial, in a 'pay-or-leak' scheme, impacting roughly 2.6 million individuals. ShinyHunters posted DentaQuest to its Tor leak site in May 2026 and released the data after negotiations rep

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.