Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in SAP NetWeaver and SAP Commerce Cloud

12 June 2026

Attackers can exploit critical vulnerabilities in SAP NetWeaver and SAP Commerce Cloud to gain unauthorised access and compromise affected systems. Users and administrators are advised to patch immediately.

Background

SAP has released security updates to address multiple critical vulnerabilities affecting SAP NetWeaver and SAP Commerce Cloud, as part of SAP's Security Patch Day in June 2026. These vulnerabilities include an XML Signature Wrapping vulnerability (CVE-2026-44748), a memory corruption vulnerability (CVE-2026-27671), a Spring Security vulnerability (CVE-2026-22732), and a directory traversal vulnerability (CVE-2026-40128). 

The following vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of: CVE-2026-44748 at 9.9, CVE-2026-27671 at 9.8, CVE-2026-22732 at 9.1, CVE-2026-40128 at 9.0, out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-44748: Due to an XML Signature Wrapping vulnerability in the SAML-based authentication mechanism, an authenticated attacker could modify signed XML documents to bypass authentication controls, resulting in unauthorised access to sensitive user data on the affected system.

  • CVE-2026-27671: Due to improper kernel validation in SAP NetWeaver AS ABAP, an unauthenticated attacker could send specially crafted RFC requests to cause memory corruption, potentially leading to full compromise of the affected system.

  • CVE-2026-22732: Due to a Spring Security misconfiguration in SAP Commerce Cloud and SAP Data Hub, an unauthenticated attacker could gain unauthorised access to the affected system.

  • CVE-2026-40128: Due to a directory traversal vulnerability in the SAP NetWeaver Application Server Java Web Container, an attacker could access files outside the intended directory on the affected system.

Affected Products

These vulnerabilities affect the following SAP products and versions:

  • CVE-2026-44748 (SAP NetWeaver AS ABAP and ABAP Platform): SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918, SAP_BASIS 919

  • CVE-2026-27671 (SAP NetWeaver AS ABAP and ABAP Platform): KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19

  • CV-2026-22732 (SAP Commerce Cloud and SAP Data Hub): HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21, DHUB_CLOUD 2211

  • CVE-2026-40128 (SAP NetWeaver Application Server Java — Web Container): ENGINEAPI 7.50

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.html

https://nvd.nist.gov/vuln/detail/CVE-2026-44748

https://nvd.nist.gov/vuln/detail/CVE-2026-27671

https://nvd.nist.gov/vuln/detail/CVE-2026-22732

https://nvd.nist.gov/vuln/detail/CVE-2026-40128

https://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-commerce-cloud/

Back to top