Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

SAP Patches CVSS 9.9 NetWeaver ABAP Flaw That Could Expose or Modify Data

The Hacker News by The Hacker News
July 14, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 14, 2026Enterprise Security / Vulnerability

SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP.

The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability.

“As a temporary workaround the note proposes to disable all ICF nodes with a specific property in transaction SICF,” SAP security firm Onapsis said. “Since the workaround will disable opening transactions in SAP GUI for HTML, it is not an option for all customers and it is strongly recommended to install the patching ABAP Kernel version.”

Also addressed by SAP are two other critical vulnerabilities –

  • CVE-2026-27690 (CVSS score: 9.1) – An HTTP request/response smuggling flaw in SAP Approuter deployments in non-Cloud Foundry environments that allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization and results in the exposure of user responses and triggers denial-of-service (DoS) attacks.
  • CVE-2026-44761 (CVSS score: 9.1) – A use of default credentials flaw in SAP Commerce Cloud that could retain a sample OAuth 2.0 client with publicly documented sample credentials originating from a sample configuration provided in SAP Help Portal documentation.

“If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data,” according to a description of CVE-2026-44761 in the NIST National Vulnerability Database (NVD). “Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.”

Onapsis noted that the vulnerability stems from sample configuration scripts previously provided in the SAP Help Portal. These scripts, originally meant for development and testing, configure OAuth 2.0 clients with hard-coded, well-known credentials.

“Older versions of the documentation did not explicitly warn customers against importing these default settings into production,” it noted. “An unauthenticated attacker can leverage these publicly available, default credentials to obtain a valid access token. With this token, they can invoke specific APIs to read and alter system data. Exploitation requires that the customer executed the sample script and retained the resulting OAuth 2.0 client in production without replacing the hard-coded secret.”

It’s worth noting that customers who removed the sample client or replaced the secret with a strong, unique value are not impacted by the bug. Customers are recommended to audit their production environments for the presence of the affected sample OAuth 2.0 client. If the client exists, it must be removed.

Although there is no evidence of the flaws being exploited in the wild, it’s advised to apply the necessary updates for optimal protection.



Source link

The Hacker News

The Hacker News

Next Post
CASIO Makes Classroom-Ready Calculator Free for Everyone with Launch of fx-300ES PLUS Online Emulator

CASIO Makes Classroom-Ready Calculator Free for Everyone with Launch of fx-300ES PLUS Online Emulator

Recommended.

Fix SOC Blind Spots: See Threats to Your Industry & Country in Real Time

Fix SOC Blind Spots: See Threats to Your Industry & Country in Real Time

December 17, 2025
Goeroptics presenta soluciones de impresión 3D e inspección visual de alta precisión en Formnext 2025

Goeroptics presenta soluciones de impresión 3D e inspección visual de alta precisión en Formnext 2025

November 25, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio